2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2022-01-05 18:02:03 +00:00
|
|
|
//go:build !enterprise
|
2018-09-18 03:03:00 +00:00
|
|
|
|
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"path"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2018-09-18 03:03:00 +00:00
|
|
|
)
|
|
|
|
|
Add path based primary write forwarding (PBPWF) - OSS (#18735)
* Add WriteForwardedStorage to sdk's plugin, logical in OSS
This should allow backends to specify paths to forward write
(storage.Put(...) and storage.Delete(...)) operations for.
Notably, these semantics are subject to change and shouldn't yet be
relied on.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Collect paths for write forwarding in OSS
This adds a path manager to Core, allowing tracking across all Vault
versions of paths which could use write forwarding if available. In
particular, even on OSS offerings, we'll need to template {{clusterId}}
into the paths, in the event of later upgrading to Enterprise. If we
didn't, we'd end up writing paths which will no longer be accessible
post-migration, due to write forwarding now replacing the sentinel with
the actual cluster identifier.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add forwarded writer implementation to OSS
Here, for paths given to us, we determine if we need to do cluster
translation and perform local writing. This is the OSS variant.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Wire up mount-specific request forwarding in OSS
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify that state lock needs to be held to call HAState in OSS
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Move cluster sentinel constant to sdk/logical
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Expose ClusterID to Plugins via SystemView
This will let plugins learn what the Cluster's ID is, without having to
resort to hacks like writing a random string to its cluster-prefixed
namespace and then reading it once it has replicated.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add GRPC ClusterID implementation
For any external plugins which wish to use it.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-20 21:36:18 +00:00
|
|
|
func addPathCheckers(c *Core, entry *MountEntry, backend logical.Backend, viewPath string) {
|
|
|
|
c.addBackendWriteForwardedPaths(backend, viewPath)
|
|
|
|
}
|
|
|
|
|
|
|
|
func removePathCheckers(c *Core, entry *MountEntry, viewPath string) {
|
|
|
|
c.writeForwardedPaths.RemovePathPrefix(viewPath)
|
|
|
|
}
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
func addAuditPathChecker(*Core, *MountEntry, *BarrierView, string) {}
|
|
|
|
func removeAuditPathChecker(*Core, *MountEntry) {}
|
|
|
|
func addFilterablePath(*Core, string) {}
|
2023-06-15 17:05:27 +00:00
|
|
|
func addKnownPath(*Core, string) {}
|
2018-09-18 03:03:00 +00:00
|
|
|
func preprocessMount(*Core, *MountEntry, *BarrierView) (bool, error) { return false, nil }
|
|
|
|
func clearIgnoredPaths(context.Context, *Core, logical.Backend, string) error { return nil }
|
2019-06-17 18:11:35 +00:00
|
|
|
func addLicenseCallback(*Core, logical.Backend) {}
|
2023-06-15 20:41:45 +00:00
|
|
|
func runFilteredPathsEvaluation(context.Context, *Core, bool) error { return nil }
|
2018-09-18 03:03:00 +00:00
|
|
|
|
|
|
|
// ViewPath returns storage prefix for the view
|
|
|
|
func (e *MountEntry) ViewPath() string {
|
|
|
|
switch e.Type {
|
2023-10-16 11:38:11 +00:00
|
|
|
case mountTypeSystem:
|
2018-09-18 03:03:00 +00:00
|
|
|
return systemBarrierPrefix
|
|
|
|
case "token":
|
|
|
|
return path.Join(systemBarrierPrefix, tokenSubPath) + "/"
|
|
|
|
}
|
|
|
|
|
|
|
|
switch e.Table {
|
|
|
|
case mountTableType:
|
|
|
|
return backendBarrierPrefix + e.UUID + "/"
|
|
|
|
case credentialTableType:
|
|
|
|
return credentialBarrierPrefix + e.UUID + "/"
|
|
|
|
case auditTableType:
|
|
|
|
return auditBarrierPrefix + e.UUID + "/"
|
|
|
|
}
|
|
|
|
|
|
|
|
panic("invalid mount entry")
|
|
|
|
}
|
|
|
|
|
|
|
|
func verifyNamespace(*Core, *namespace.Namespace, *MountEntry) error { return nil }
|
2019-10-17 17:33:00 +00:00
|
|
|
|
|
|
|
// mountEntrySysView creates a logical.SystemView from global and
|
|
|
|
// mount-specific entries; because this should be called when setting
|
|
|
|
// up a mountEntry, it doesn't check to ensure that me is not nil
|
|
|
|
func (c *Core) mountEntrySysView(entry *MountEntry) extendedSystemView {
|
2023-05-17 16:12:04 +00:00
|
|
|
esi := extendedSystemViewImpl{
|
2019-10-17 17:33:00 +00:00
|
|
|
dynamicSystemView{
|
2022-10-05 12:56:36 +00:00
|
|
|
core: c,
|
|
|
|
mountEntry: entry,
|
|
|
|
perfStandby: c.perfStandby,
|
2019-10-17 17:33:00 +00:00
|
|
|
},
|
|
|
|
}
|
2023-05-17 16:12:04 +00:00
|
|
|
|
2023-05-19 18:15:43 +00:00
|
|
|
// Due to complexity in the ACME interface, only return it when we
|
|
|
|
// are a PKI plugin that needs it.
|
|
|
|
if entry.Type != "pki" {
|
|
|
|
return esi
|
|
|
|
}
|
|
|
|
return c.NewAcmeBillingSystemView(esi)
|
2019-10-17 17:33:00 +00:00
|
|
|
}
|
2023-07-10 19:52:42 +00:00
|
|
|
|
|
|
|
func (c *Core) entBuiltinPluginMetrics(ctx context.Context, entry *MountEntry, val float32) error {
|
|
|
|
return nil
|
|
|
|
}
|