open-vault/vault/request_handling_util.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

//go:build !enterprise

package vault

import (
	"context"
	"sync"
	"time"

	"github.com/hashicorp/vault/helper/identity"
	"github.com/hashicorp/vault/sdk/logical"
)

func waitForReplicationState(context.Context, *Core, *logical.Request) (*sync.WaitGroup, error) {
	return nil, nil
}

func checkNeedsCG(context.Context, *Core, *logical.Request, *logical.Auth, error, []string) (error, *logical.Response, *logical.Auth, error) {
	return nil, nil, nil, nil
}

func checkErrControlGroupTokenNeedsCreated(err error) bool {
	return false
}

func shouldForward(c *Core, resp *logical.Response, err error) bool {
	return false
}

func syncCounters(c *Core) error {
	return nil
}

func syncBarrierEncryptionCounter(c *Core) error {
	return nil
}

func couldForward(c *Core) bool {
	return false
}

func forward(ctx context.Context, c *Core, req *logical.Request) (*logical.Response, error) {
	panic("forward called in OSS Vault")
}

func getLeaseRegisterFunc(c *Core) (func(context.Context, *logical.Request, *logical.Response, string) (string, error), error) {
	return c.expiration.Register, nil
}

func getAuthRegisterFunc(c *Core) (RegisterAuthFunc, error) {
	return c.RegisterAuth, nil
}

func getUserFailedLoginInfo(ctx context.Context, c *Core, userInfo FailedLoginUser) (*FailedLoginInfo, error) {
	return c.LocalGetUserFailedLoginInfo(ctx, userInfo), nil
}

func updateUserFailedLoginInfo(ctx context.Context, c *Core, userInfo FailedLoginUser, failedLoginInfo *FailedLoginInfo, deleteEntry bool) error {
	return c.LocalUpdateUserFailedLoginInfo(ctx, userInfo, failedLoginInfo, deleteEntry)
}

func possiblyForwardAliasCreation(ctx context.Context, c *Core, inErr error, auth *logical.Auth, entity *identity.Entity) (*identity.Entity, bool, error) {
	return entity, false, inErr
}

var errCreateEntityUnimplemented = "create entity unimplemented in the server"

func possiblyForwardEntityCreation(ctx context.Context, c *Core, inErr error, auth *logical.Auth, entity *identity.Entity) (*identity.Entity, error) {
	return entity, inErr
}

func updateLocalAlias(ctx context.Context, c *Core, auth *logical.Auth, entity *identity.Entity) error {
	return nil
}

func possiblyForwardSaveCachedAuthResponse(ctx context.Context, c *Core, respAuth *MFACachedAuthResponse) error {
	err := c.SaveMFAResponseAuth(respAuth)
	if err != nil {
		return err
	}

	return nil
}

func forwardCreateTokenRegisterAuth(ctx context.Context, c *Core, te *logical.TokenEntry, roleName string, renewable bool, periodToUse, explicitMaxTTLToUse time.Duration) (*logical.TokenEntry, error) {
	return nil, nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Convert to Go 1.17 go:build directive (#13579) 2022-01-05 18:02:03 +00:00			`//go:build !enterprise`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`package vault`

			`import (`
			`"context"`
Apply OSS part of ENT change re waitForReplicationState. (#10837) 2021-02-04 14:10:35 +00:00			`"sync"`
Allow Token Create Requests To Be Replicated (#18689) * Allow Token Create Requests To Be Replicated * adding a test * revert a test 2023-01-24 19:00:27 +00:00			`"time"`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`"github.com/hashicorp/vault/helper/identity"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`)`

Apply OSS part of ENT change re waitForReplicationState. (#10837) 2021-02-04 14:10:35 +00:00			`func waitForReplicationState(context.Context, Core, logical.Request) (*sync.WaitGroup, error) {`
			`return nil, nil`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`func checkNeedsCG(context.Context, Core, logical.Request, logical.Auth, error, []string) (error, logical.Response, *logical.Auth, error) {`
			`return nil, nil, nil, nil`
			`}`

core: port over CG and perf standby handling bits (#6530) 2019-04-03 21:16:49 +00:00			`func checkErrControlGroupTokenNeedsCreated(err error) bool {`
			`return false`
			`}`

Fix various read only storage errors * Fix various read only storage errors A mistake we've seen multiple times in our own plugins and that we've seen in the GCP plugin now is that control flow (how the code is structured, helper functions, etc.) can obfuscate whether an error came from storage or some other Vault-core location (in which case likely it needs to be a 5XX message) or because of user input (thus 4XX). Error handling for functions therefore often ends up always treating errors as either user related or internal. When the error is logical.ErrReadOnly this means that treating errors as user errors skips the check that triggers forwarding, instead returning a read only view error to the user. While it's obviously more correct to fix that code, it's not always immediately apparent to reviewers or fixers what the issue is and fixing it when it's found both requires someone to hit the problem and report it (thus exposing bugs to users) and selective targeted refactoring that only helps that one specific case. If instead we check whether the logical.Response is an error and, if so, whether it contains the error value, we work around this in all of these cases automatically. It feels hacky since it's a coding mistake, but it's one we've made too multiple times, and avoiding bugs altogether is better for our users. 2019-07-05 22:12:34 +00:00			`func shouldForward(c Core, resp logical.Response, err error) bool {`
Add code for writing and reading request counters to storage. (#5918) Increment a counter whenever a request is received. The in-memory counter is persisted to counters/requests/YYYY/MM. When the month wraps around, we reset the in-memory counter to zero. Add an endpoint for querying the request counters across all time. 2019-03-05 19:55:07 +00:00			`return false`
			`}`

OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost. 2021-02-25 20:27:25 +00:00			`func syncCounters(c *Core) error {`
			`return nil`
			`}`

			`func syncBarrierEncryptionCounter(c *Core) error {`
			`return nil`
Add code for writing and reading request counters to storage. (#5918) Increment a counter whenever a request is received. The in-memory counter is persisted to counters/requests/YYYY/MM. When the month wraps around, we reset the in-memory counter to zero. Add an endpoint for querying the request counters across all time. 2019-03-05 19:55:07 +00:00			`}`

			`func couldForward(c *Core) bool {`
			`return false`
			`}`

			`func forward(ctx context.Context, c Core, req logical.Request) (*logical.Response, error) {`
			`panic("forward called in OSS Vault")`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`}`

VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) * VAULT-6613 add DetermineRoleFromLoginRequest function to Core * Fix body handling * Role resolution for rate limit quotas * VAULT-6613 update precedence test * Add changelog * VAULT-6614 start of changes for roles in LCQs * Expiration changes for leases * Add role information to RequestAuth * VAULT-6614 Test updates * VAULT-6614 Add expiration test with roles * VAULT-6614 fix comment * VAULT-6614 Protobuf on OSS * VAULT-6614 Add rlock to determine role code * VAULT-6614 Try lock instead of rlock * VAULT-6614 back to rlock while I think about this more * VAULT-6614 Additional safety for nil dereference * VAULT-6614 Use %q over %s * VAULT-6614 Add overloading to plugin backends * VAULT-6614 RLocks instead * VAULT-6614 Fix return for backend factory 2022-07-05 17:02:00 +00:00			`func getLeaseRegisterFunc(c Core) (func(context.Context, logical.Request, *logical.Response, string) (string, error), error) {`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`return c.expiration.Register, nil`
			`}`

			`func getAuthRegisterFunc(c *Core) (RegisterAuthFunc, error) {`
			`return c.RegisterAuth, nil`
			`}`

Vault 8307 user lockout workflow oss (#17951) * adding oss file changes * check disabled and read values from config * isUserLocked, getUserLockout Configurations, check user lock before login and return error * remove stale entry from storage during read * added failed login process workflow * success workflow updated * user lockouts external tests * changing update to support delete * provide access to alias look ahead function * adding path alias lookahead * adding tests * added changelog * added comments * adding changes from ent branch * adding lock to UpdateUserFailedLoginInfo * fix return default bug 2022-12-07 01:22:46 +00:00			`func getUserFailedLoginInfo(ctx context.Context, c Core, userInfo FailedLoginUser) (FailedLoginInfo, error) {`
backport of commit b54645514400b7c3db6e4a60b5491cdb7d55ceb6 (#20869) Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com> 2023-05-31 17:51:20 +00:00			`return c.LocalGetUserFailedLoginInfo(ctx, userInfo), nil`
Vault-8306 User Lockout RPCs oss changes (#17765) * adding oss file changes * updating changes from ent 2022-11-15 23:07:52 +00:00			`}`

Vault 8307 user lockout workflow oss (#17951) * adding oss file changes * check disabled and read values from config * isUserLocked, getUserLockout Configurations, check user lock before login and return error * remove stale entry from storage during read * added failed login process workflow * success workflow updated * user lockouts external tests * changing update to support delete * provide access to alias look ahead function * adding path alias lookahead * adding tests * added changelog * added comments * adding changes from ent branch * adding lock to UpdateUserFailedLoginInfo * fix return default bug 2022-12-07 01:22:46 +00:00			`func updateUserFailedLoginInfo(ctx context.Context, c Core, userInfo FailedLoginUser, failedLoginInfo FailedLoginInfo, deleteEntry bool) error {`
backport of commit b54645514400b7c3db6e4a60b5491cdb7d55ceb6 (#20869) Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com> 2023-05-31 17:51:20 +00:00			`return c.LocalUpdateUserFailedLoginInfo(ctx, userInfo, failedLoginInfo, deleteEntry)`
Vault-8306 User Lockout RPCs oss changes (#17765) * adding oss file changes * updating changes from ent 2022-11-15 23:07:52 +00:00			`}`

oss changes (#15487) * oss changes * add changelog 2022-05-18 16:16:13 +00:00			`func possiblyForwardAliasCreation(ctx context.Context, c Core, inErr error, auth logical.Auth, entity identity.Entity) (identity.Entity, bool, error) {`
			`return entity, false, inErr`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`}`
Local aliases OSS patch (#12848) * Local aliases OSS patch * build fix 2021-10-15 19:20:00 +00:00
			`var errCreateEntityUnimplemented = "create entity unimplemented in the server"`

			`func possiblyForwardEntityCreation(ctx context.Context, c Core, inErr error, auth logical.Auth, entity identity.Entity) (identity.Entity, error) {`
			`return entity, inErr`
			`}`
possibly forward cached MFA auth response to leader (#15469) * possibly forward cached MFA auth response to leader * adding CL 2022-05-17 20:30:36 +00:00
oss changes (#16407) 2022-07-21 17:53:42 +00:00			`func updateLocalAlias(ctx context.Context, c Core, auth logical.Auth, entity *identity.Entity) error {`
			`return nil`
			`}`

possibly forward cached MFA auth response to leader (#15469) * possibly forward cached MFA auth response to leader * adding CL 2022-05-17 20:30:36 +00:00			`func possiblyForwardSaveCachedAuthResponse(ctx context.Context, c Core, respAuth MFACachedAuthResponse) error {`
			`err := c.SaveMFAResponseAuth(respAuth)`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`
Allow Token Create Requests To Be Replicated (#18689) * Allow Token Create Requests To Be Replicated * adding a test * revert a test 2023-01-24 19:00:27 +00:00
			`func forwardCreateTokenRegisterAuth(ctx context.Context, c Core, te logical.TokenEntry, roleName string, renewable bool, periodToUse, explicitMaxTTLToUse time.Duration) (*logical.TokenEntry, error) {`
			`return nil, nil`
			`}`