Merge pull request #4956 from hashicorp/b-vault-client-tweaks-followup

server/vault: Lock Vault expiration tracking
This commit is contained in:
Mahmood Ali 2018-12-04 19:46:59 -05:00 committed by GitHub
commit adb4d69576
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -145,7 +145,7 @@ type VaultStats struct {
// TokenTTL is the time-to-live duration for the current token
TokenTTL time.Duration
// TokenExpiry Time is the recoreded expiry time of the current token
// TokenExpiry is the recorded expiry time of the current token
TokenExpiry time.Time
}
@ -216,7 +216,8 @@ type vaultClient struct {
childTTL string
// currentExpiration is the time the current token lease expires
currentExpiration time.Time
currentExpiration time.Time
currentExpirationLock sync.Mutex
tomb *tomb.Tomb
logger log.Logger
@ -488,7 +489,9 @@ func (v *vaultClient) renewalLoop() {
case <-authRenewTimer.C:
// Renew the token and determine the new expiration
recoverable, err := v.renew()
v.currentExpirationLock.Lock()
currentExpiration := v.currentExpiration
v.currentExpirationLock.Unlock()
// Successfully renewed
if err == nil {
@ -602,7 +605,7 @@ func (v *vaultClient) renew() (bool, error) {
return true, fmt.Errorf("renewal successful but no lease duration returned")
}
v.currentExpiration = time.Now().Add(time.Duration(auth.LeaseDuration) * time.Second)
v.extendExpiration(auth.LeaseDuration)
v.logger.Debug("successfully renewed server token")
return true, nil
@ -650,7 +653,7 @@ func (v *vaultClient) parseSelfToken() error {
}
data.Root = root
v.tokenData = &data
v.currentExpiration = time.Now().Add(time.Duration(data.TTL) * time.Second)
v.extendExpiration(data.TTL)
// The criteria that must be met for the token to be valid are as follows:
// 1) If token is non-root or is but has a creation ttl
@ -1274,7 +1277,10 @@ func (v *vaultClient) stats() *VaultStats {
stats.TrackedForRevoke = len(v.revoking)
v.revLock.Unlock()
v.currentExpirationLock.Lock()
stats.TokenExpiry = v.currentExpiration
v.currentExpirationLock.Unlock()
if !stats.TokenExpiry.IsZero() {
stats.TokenTTL = time.Until(stats.TokenExpiry)
}
@ -1296,3 +1302,10 @@ func (v *vaultClient) EmitStats(period time.Duration, stopCh chan struct{}) {
}
}
}
// extendExpiration sets the current auth token expiration record to ttLSeconds seconds from now
func (v *vaultClient) extendExpiration(ttlSeconds int) {
v.currentExpirationLock.Lock()
v.currentExpiration = time.Now().Add(time.Duration(ttlSeconds) * time.Second)
v.currentExpirationLock.Unlock()
}