Remove internal version endpoint

ui/app/adapters/cluster.js

@@ -21,7 +21,6 @@ const ENDPOINTS = [
   'init',
   'capabilities-self',
   'license',
-  'internal/ui/version',
 ];
 
 const REPLICATION_ENDPOINTS = {
@@ -100,12 +99,8 @@ export default ApplicationAdapter.extend({
     });
   },
 
-  fetchVersion() {
-    return this.ajax(`${this.urlFor('internal/ui/version')}`, 'GET').catch(() => ({}));
-  },
-
-  sealStatus() {
-    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated: true });
+  sealStatus(unauthenticated = true) {
+    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated });
   },
 
   seal() {

ui/app/services/version.js

@@ -52,8 +52,9 @@ export default class VersionService extends Service {
   @task({ drop: true })
   *getVersion() {
     if (this.version) return;
-    const response = yield this.store.adapterFor('cluster').fetchVersion();
-    this.version = response.data?.version;
+    // Fetch seal status with token to get version
+    const response = yield this.store.adapterFor('cluster').sealStatus(false);
+    this.version = response?.version;
   }
 
   @task

ui/mirage/handlers/base.js

@@ -37,14 +37,6 @@ export default function (server) {
     };
   });
 
-  server.get('/sys/internal/ui/version', function () {
-    return {
-      data: {
-        version: '1.9.0+ent',
-      },
-    };
-  });
-
   server.get('/sys/license/status', function () {
     return {
       data: {

ui/mirage/handlers/reduced-disclosure.js

@@ -10,9 +10,13 @@ export default function (server) {
   server.get('/sys/health', (schema, req) =>
     modifyPassthroughResponse(req, { version: '', cluster_name: '' })
   );
-  server.get('/sys/seal-status', (schema, req) =>
-    modifyPassthroughResponse(req, { version: '', cluster_name: '', build_date: '' })
-  );
+  server.get('/sys/seal-status', (schema, req) => {
+    // When reduced disclosure is active, the version is only returned when a valid token is used
+    const overrides = req.requestHeaders['X-Vault-Token']
+      ? { cluster_name: '', build_date: '' }
+      : { version: '', cluster_name: '', build_date: '' };
+    return modifyPassthroughResponse(req, overrides);
+  });
   server.get('sys/replication/status', () => new Response(404, {}, { errors: ['disabled path'] }));
   server.get('sys/replication/dr/status', () => new Response(404, {}, { errors: ['disabled path'] }));
   server.get(

ui/tests/acceptance/config-ui/messages/messages-test.js

@@ -19,14 +19,6 @@ module('Acceptance | Community | config-ui/messages', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(async function () {
-    this.server.get('sys/internal/ui/version', function () {
-      return {
-        data: {
-          version: '1.16.0',
-        },
-      };
-    });
-
     this.server.get('/sys/health', function () {
       return {
         enterprise: false,
@@ -100,13 +92,6 @@ module('Acceptance | Enterprise | config-ui/message', function (hooks) {
 
       await click(PAGE.button('create-message'));
     };
-    this.server.get('sys/internal/ui/version', function () {
-      return {
-        data: {
-          version: '1.16.0+ent',
-        },
-      };
-    });
     this.server.get('/sys/health', function () {
       return {
         enterprise: true,

ui/tests/acceptance/dashboard-test.js

@@ -83,7 +83,9 @@ module('Acceptance | landing page dashboard', function (hooks) {
     await visit('/vault/dashboard');
     const version = this.owner.lookup('service:version');
     // Since we're using mirage, version is mocked static value
-    const versionText = version.isEnterprise ? `Vault v1.9.0 root` : `Vault v1.9.0`;
+    const versionText = version.isEnterprise
+      ? `Vault ${version.versionDisplay} root`
+      : `Vault ${version.versionDisplay}`;
 
     assert.dom(SELECTORS.cardHeader('Vault version')).hasText(versionText);
   });

ui/tests/acceptance/reduced-disclosure-test.js

@@ -62,6 +62,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
         type: 'shamir',
         initialized: true,
         sealed: this.sealed,
+        version: '1.21.3',
       };
     });
     this.server.put(`/sys/seal`, () => {
@@ -84,11 +85,9 @@ module('Acceptance | reduced disclosure test', function (hooks) {
     });
     await authPage.login();
 
-    const versionSvc = this.owner.lookup('service:version');
     await visit('/vault/settings/seal');
-    assert
-      .dom('[data-test-footer-version]')
-      .hasText(`Vault ${versionSvc.version}`, 'shows version on seal page');
+
+    assert.dom('[data-test-footer-version]').hasText(`Vault 1.21.3`, 'shows version on seal page');
     assert.strictEqual(currentURL(), '/vault/settings/seal');
 
     // seal
@@ -115,9 +114,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
     assert.strictEqual(currentRouteName(), 'vault.cluster.auth', 'vault is ready to authenticate');
     assert.dom('[data-test-footer-version]').hasText(`Vault`, 'Version is still not shown before auth');
     await authPage.login();
-    assert
-      .dom('[data-test-footer-version]')
-      .hasText(`Vault ${versionSvc.version}`, 'Version is shown after login');
+    assert.dom('[data-test-footer-version]').hasText(`Vault 1.21.3`, 'Version is shown after login');
   });
 
   module('enterprise', function () {

ui/tests/unit/services/version-test.js

@@ -23,6 +23,16 @@ module('Unit | Service | version', function (hooks) {
     assert.true(service.isEnterprise);
   });
 
+  test('calculates versionDisplay correctly', function (assert) {
+    const service = this.owner.lookup('service:version');
+    service.type = 'community';
+    service.version = '1.2.3';
+    assert.strictEqual(service.versionDisplay, 'v1.2.3');
+    service.type = 'enterprise';
+    service.version = '1.4.7+ent';
+    assert.strictEqual(service.versionDisplay, 'v1.4.7');
+  });
+
   test('hasPerfReplication', function (assert) {
     const service = this.owner.lookup('service:version');
     assert.false(service.hasPerfReplication);

vault/logical_system.go

@@ -5249,18 +5249,6 @@ func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *log
 	return resp, nil
 }
 
-// pathInternalUIVersion is the framework.PathOperation callback function for
-// the sys/internal/ui/version path. It simply returns the Vault version.
-func (b *SystemBackend) pathInternalUIVersion(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	resp := &logical.Response{
-		Data: map[string]any{
-			"version": version.GetVersion().VersionNumber(),
-		},
-	}
-
-	return resp, nil
-}
-
 func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	// Limit output to authorized paths
 	resp, err := b.pathInternalUIMountsRead(ctx, req, d)

vault/logical_system_integ_test.go

@@ -87,11 +87,6 @@ func TestSystemBackend_InternalUIResultantACL(t *testing.T) {
 					"read",
 				},
 			},
-			"sys/internal/ui/version": map[string]interface{}{
-				"capabilities": []interface{}{
-					"read",
-				},
-			},
 			"sys/leases/lookup": map[string]interface{}{
 				"capabilities": []interface{}{
 					"update",

vault/logical_system_paths.go

@@ -2895,31 +2895,6 @@ func (b *SystemBackend) internalPaths() []*framework.Path {
 				},
 			},
 		},
-		{
-			Pattern: "internal/ui/version",
-			DisplayAttrs: &framework.DisplayAttributes{
-				OperationPrefix: "internal-ui",
-				OperationVerb:   "read",
-				OperationSuffix: "version",
-			},
-			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.ReadOperation: &framework.PathOperation{
-					Callback: b.pathInternalUIVersion,
-					Summary:  "Backwards compatibility is not guaranteed for this API",
-					Responses: map[int][]framework.Response{
-						http.StatusOK: {{
-							Description: "OK",
-							Fields: map[string]*framework.FieldSchema{
-								"version": {
-									Type:     framework.TypeString,
-									Required: true,
-								},
-							},
-						}},
-					},
-				},
-			},
-		},
 		{
 			Pattern: "internal/counters/requests",
 			DisplayAttrs: &framework.DisplayAttributes{

vault/policy_store.go

@@ -102,12 +102,6 @@ path "sys/internal/ui/resultant-acl" {
     capabilities = ["read"]
 }
 
-# Allow a token to look up the Vault version. This path is not subject to
-# redaction like the unauthenticated endpoints that provide the Vault version.
-path "sys/internal/ui/version" {
-	capabilities = ["read"]
-}
-
 # Allow a token to renew a lease via lease_id in the request body; old path for
 # old clients, new path for newer
 path "sys/renew" {

website/data/api-docs-nav-data.json

@@ -532,10 +532,6 @@
         "title": "<code>/sys/internal/ui/unauthenticated-messages</code>",
         "path": "system/internal-ui-unauthenticated-messages"
       },
-      {
-        "title": "<code>/sys/internal/ui/version</code>",
-        "path": "system/internal-ui-version"
-      },
       {
         "title": "<code>/sys/key-status</code>",
         "path": "system/key-status"