open-consul/agent/consul/acl_token_exp.go

package consul

import (
	"context"
	"fmt"
	"time"

	"github.com/hashicorp/consul/agent/structs"
	"golang.org/x/time/rate"
)

func (s *Server) reapExpiredTokens(ctx context.Context) error {
	limiter := rate.NewLimiter(aclTokenReapingRateLimit, aclTokenReapingBurst)
	for {
		if err := limiter.Wait(ctx); err != nil {
			return err
		}

		if s.LocalTokensEnabled() {
			if _, err := s.reapExpiredLocalACLTokens(); err != nil {
				s.logger.Error("error reaping expired local ACL tokens", "error", err)
			}
		}
		if s.InACLDatacenter() {
			if _, err := s.reapExpiredGlobalACLTokens(); err != nil {
				s.logger.Error("error reaping expired global ACL tokens", "error", err)
			}
		}
	}
}

func (s *Server) startACLTokenReaping() {
	// Do a quick check for config settings that would imply the goroutine
	// below will just spin forever.
	//
	// We can only check the config settings here that cannot change without a
	// restart, so we omit the check for a non-empty replication token as that
	// can be changed at runtime.
	if !s.InACLDatacenter() && !s.config.ACLTokenReplication {
		return
	}

	s.leaderRoutineManager.Start(aclTokenReapingRoutineName, s.reapExpiredTokens)
}

func (s *Server) stopACLTokenReaping() {
	s.leaderRoutineManager.Stop(aclTokenReapingRoutineName)
}

func (s *Server) reapExpiredGlobalACLTokens() (int, error) {
	return s.reapExpiredACLTokens(false, true)
}
func (s *Server) reapExpiredLocalACLTokens() (int, error) {
	return s.reapExpiredACLTokens(true, false)
}
func (s *Server) reapExpiredACLTokens(local, global bool) (int, error) {
	if !s.config.ACLsEnabled {
		return 0, nil
	}
	if s.UseLegacyACLs() {
		return 0, nil
	}
	if local == global {
		return 0, fmt.Errorf("cannot reap both local and global tokens in the same request")
	}

	locality := localityName(local)

	minExpiredTime, err := s.fsm.State().ACLTokenMinExpirationTime(local)
	if err != nil {
		return 0, err
	}

	now := time.Now()

	if minExpiredTime.After(now) {
		return 0, nil // nothing to do
	}

	tokens, _, err := s.fsm.State().ACLTokenListExpired(local, now, aclBatchDeleteSize)
	if err != nil {
		return 0, err
	}

	if len(tokens) == 0 {
		return 0, nil
	}

	var (
		secretIDs []string
		req       structs.ACLTokenBatchDeleteRequest
	)
	for _, token := range tokens {
		if token.Local != local {
			return 0, fmt.Errorf("expired index for local=%v returned a mismatched token with local=%v: %s", local, token.Local, token.AccessorID)
		}
		req.TokenIDs = append(req.TokenIDs, token.AccessorID)
		secretIDs = append(secretIDs, token.SecretID)
	}

	s.logger.Info("deleting expired ACL tokens",
		"amount", len(req.TokenIDs),
		"locality", locality,
	)
	resp, err := s.raftApply(structs.ACLTokenDeleteRequestType, &req)
	if err != nil {
		return 0, fmt.Errorf("Failed to apply token expiration deletions: %v", err)
	}

	// Purge the identities from the cache
	for _, secretID := range secretIDs {
		s.acls.cache.RemoveIdentity(tokenSecretCacheID(secretID))
	}

	if respErr, ok := resp.(error); ok {
		return 0, respErr
	}

	return len(req.TokenIDs), nil
}

func localityName(local bool) string {
	if local {
		return "local"
	}
	return "global"
}
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`package consul`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"github.com/hashicorp/consul/agent/structs"`
			`"golang.org/x/time/rate"`
			`)`

Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`func (s *Server) reapExpiredTokens(ctx context.Context) error {`
			`limiter := rate.NewLimiter(aclTokenReapingRateLimit, aclTokenReapingBurst)`
			`for {`
			`if err := limiter.Wait(ctx); err != nil {`
			`return err`
			`}`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`if s.LocalTokensEnabled() {`
			`if _, err := s.reapExpiredLocalACLTokens(); err != nil {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`s.logger.Error("error reaping expired local ACL tokens", "error", err)`
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`}`
			`}`
			`if s.InACLDatacenter() {`
			`if _, err := s.reapExpiredGlobalACLTokens(); err != nil {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`s.logger.Error("error reaping expired global ACL tokens", "error", err)`
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`}`
			`}`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`}`
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`}`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`func (s *Server) startACLTokenReaping() {`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`// Do a quick check for config settings that would imply the goroutine`
			`// below will just spin forever.`
			`//`
			`// We can only check the config settings here that cannot change without a`
			`// restart, so we omit the check for a non-empty replication token as that`
			`// can be changed at runtime.`
			`if !s.InACLDatacenter() && !s.config.ACLTokenReplication {`
			`return`
			`}`

Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`s.leaderRoutineManager.Start(aclTokenReapingRoutineName, s.reapExpiredTokens)`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`}`

			`func (s *Server) stopACLTokenReaping() {`
Implement Leader Routine Management (#6580) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually). 2019-10-04 17:08:45 +00:00			`s.leaderRoutineManager.Stop(aclTokenReapingRoutineName)`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`}`

			`func (s *Server) reapExpiredGlobalACLTokens() (int, error) {`
			`return s.reapExpiredACLTokens(false, true)`
			`}`
			`func (s *Server) reapExpiredLocalACLTokens() (int, error) {`
			`return s.reapExpiredACLTokens(true, false)`
			`}`
			`func (s *Server) reapExpiredACLTokens(local, global bool) (int, error) {`
Remove ACLsEnabled from delegate interface In all cases (oss/ent, client/server) this method was returning a value from config. Since the value is consistent, it doesn't need to be part of the delegate interface. 2020-07-03 20:52:08 +00:00			`if !s.config.ACLsEnabled {`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`return 0, nil`
			`}`
			`if s.UseLegacyACLs() {`
			`return 0, nil`
			`}`
			`if local == global {`
			`return 0, fmt.Errorf("cannot reap both local and global tokens in the same request")`
			`}`

			`locality := localityName(local)`

			`minExpiredTime, err := s.fsm.State().ACLTokenMinExpirationTime(local)`
			`if err != nil {`
			`return 0, err`
			`}`

			`now := time.Now()`

			`if minExpiredTime.After(now) {`
			`return 0, nil // nothing to do`
			`}`

			`tokens, _, err := s.fsm.State().ACLTokenListExpired(local, now, aclBatchDeleteSize)`
			`if err != nil {`
			`return 0, err`
			`}`

			`if len(tokens) == 0 {`
			`return 0, nil`
			`}`

			`var (`
			`secretIDs []string`
			`req structs.ACLTokenBatchDeleteRequest`
			`)`
			`for _, token := range tokens {`
			`if token.Local != local {`
			`return 0, fmt.Errorf("expired index for local=%v returned a mismatched token with local=%v: %s", local, token.Local, token.AccessorID)`
			`}`
			`req.TokenIDs = append(req.TokenIDs, token.AccessorID)`
			`secretIDs = append(secretIDs, token.SecretID)`
			`}`

Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`s.logger.Info("deleting expired ACL tokens",`
			`"amount", len(req.TokenIDs),`
			`"locality", locality,`
			`)`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`resp, err := s.raftApply(structs.ACLTokenDeleteRequestType, &req)`
			`if err != nil {`
			`return 0, fmt.Errorf("Failed to apply token expiration deletions: %v", err)`
			`}`

			`// Purge the identities from the cache`
			`for _, secretID := range secretIDs {`
Ensure that cache entries for tokens are prefixed “token-secret… (#6688) This will be necessary once we store other types of identities in here. 2019-10-25 17:05:43 +00:00			`s.acls.cache.RemoveIdentity(tokenSecretCacheID(secretID))`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`}`

			`if respErr, ok := resp.(error); ok {`
			`return 0, respErr`
			`}`

			`return len(req.TokenIDs), nil`
			`}`

			`func localityName(local bool) string {`
			`if local {`
			`return "local"`
			`}`
			`return "global"`
			`}`