open-vault/vault/dynamic_system_view.go

414 lines
12 KiB
Go
Raw Normal View History

package vault
import (
"context"
2017-04-25 01:31:27 +00:00
"fmt"
"time"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/helper/random"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/license"
"github.com/hashicorp/vault/sdk/helper/pluginutil"
"github.com/hashicorp/vault/sdk/helper/wrapping"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/version"
)
type ctxKeyForwardedRequestMountAccessor struct{}
func (c ctxKeyForwardedRequestMountAccessor) String() string {
return "forwarded-req-mount-accessor"
}
type dynamicSystemView struct {
core *Core
mountEntry *MountEntry
perfStandby bool
}
type extendedSystemView interface {
logical.SystemView
logical.ExtendedSystemView
// SudoPrivilege won't work over the plugin system so we keep it here
// instead of in sdk/logical to avoid exposing to plugins
SudoPrivilege(context.Context, string, string) bool
}
type extendedSystemViewImpl struct {
dynamicSystemView
}
func (e extendedSystemViewImpl) Auditor() logical.Auditor {
return genericAuditor{
mountType: e.mountEntry.Type,
namespace: e.mountEntry.Namespace(),
c: e.core,
}
}
func (e extendedSystemViewImpl) ForwardGenericRequest(ctx context.Context, req *logical.Request) (*logical.Response, error) {
// Forward the request if allowed
if couldForward(e.core) {
ctx = namespace.ContextWithNamespace(ctx, e.mountEntry.Namespace())
ctx = logical.IndexStateContext(ctx, &logical.WALState{})
ctx = context.WithValue(ctx, ctxKeyForwardedRequestMountAccessor{}, e.mountEntry.Accessor)
return forward(ctx, e.core, req)
}
return nil, logical.ErrReadOnly
}
// SudoPrivilege returns true if given path has sudo privileges
// for the given client token
func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string, token string) bool {
2015-09-21 14:04:03 +00:00
// Resolve the token policy
te, err := e.core.tokenStore.Lookup(ctx, token)
if err != nil {
e.core.logger.Error("failed to lookup sudo token", "error", err)
return false
}
2015-09-21 14:04:03 +00:00
// Ensure the token is valid
if te == nil {
e.core.logger.Error("entry not found for given token")
2015-09-21 14:04:03 +00:00
return false
}
policyNames := make(map[string][]string)
2018-09-18 03:03:00 +00:00
// Add token policies
policyNames[te.NamespaceID] = append(policyNames[te.NamespaceID], te.Policies...)
2018-09-18 03:03:00 +00:00
tokenNS, err := NamespaceByID(ctx, te.NamespaceID, e.core)
2018-09-18 03:03:00 +00:00
if err != nil {
e.core.logger.Error("failed to lookup token namespace", "error", err)
2018-09-18 03:03:00 +00:00
return false
}
if tokenNS == nil {
e.core.logger.Error("failed to lookup token namespace", "error", namespace.ErrNoNamespace)
2018-09-18 03:03:00 +00:00
return false
}
// Add identity policies from all the namespaces
entity, identityPolicies, err := e.core.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
if err != nil {
e.core.logger.Error("failed to fetch identity policies", "error", err)
return false
}
2018-09-18 03:03:00 +00:00
for nsID, nsPolicies := range identityPolicies {
policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
2018-09-18 03:03:00 +00:00
}
2018-09-18 03:03:00 +00:00
tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)
// Add the inline policy if it's set
policies := make([]*Policy, 0)
if te.InlinePolicy != "" {
inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
if err != nil {
e.core.logger.Error("failed to parse the token's inline policy", "error", err)
return false
}
policies = append(policies, inlinePolicy)
}
2018-09-18 03:03:00 +00:00
// Construct the corresponding ACL object. Derive and use a new context that
// uses the req.ClientToken's namespace
acl, err := e.core.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
2015-09-21 14:04:03 +00:00
if err != nil {
e.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
2015-09-21 14:04:03 +00:00
return false
}
// The operation type isn't important here as this is run from a path the
// user has already been given access to; we only care about whether they
// have sudo. Note that we use root context because the path that comes in
// must be fully-qualified already so we don't want AllowOperation to
// prepend a namespace prefix onto it.
2017-01-20 00:54:08 +00:00
req := new(logical.Request)
req.Operation = logical.ReadOperation
req.Path = path
authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
2017-10-23 20:03:36 +00:00
return authResults.RootPrivs
}
func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
def, _ := d.fetchTTLs()
return def
}
func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
_, max := d.fetchTTLs()
return max
}
// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
def = d.core.defaultLeaseTTL
max = d.core.maxLeaseTTL
2018-09-18 03:03:00 +00:00
if d.mountEntry != nil {
if d.mountEntry.Config.DefaultLeaseTTL != 0 {
def = d.mountEntry.Config.DefaultLeaseTTL
}
if d.mountEntry.Config.MaxLeaseTTL != 0 {
max = d.mountEntry.Config.MaxLeaseTTL
}
}
return
}
// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
return d.mountEntry.Tainted
}
// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
}
func (d dynamicSystemView) LocalMount() bool {
return d.mountEntry != nil && d.mountEntry.Local
}
// Checks if this is a primary Vault instance. Caller should hold the stateLock
// in read mode.
2017-02-16 18:37:21 +00:00
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
2018-09-18 03:03:00 +00:00
state := d.core.ReplicationState()
if d.perfStandby {
2018-09-18 03:03:00 +00:00
state |= consts.ReplicationPerformanceStandby
}
return state
}
func (d dynamicSystemView) HasFeature(feature license.Features) bool {
return d.core.HasFeature(feature)
}
2017-03-16 00:14:48 +00:00
// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
2017-03-16 00:14:48 +00:00
req := &logical.Request{
Operation: logical.CreateOperation,
Path: "sys/wrapping/wrap",
2017-03-16 00:14:48 +00:00
}
resp := &logical.Response{
WrapInfo: &wrapping.ResponseWrapInfo{
2017-03-16 00:14:48 +00:00
TTL: ttl,
},
Data: data,
}
if jwt {
resp.WrapInfo.Format = "jwt"
}
_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)
2017-03-16 00:14:48 +00:00
if err != nil {
return nil, err
2017-03-16 00:14:48 +00:00
}
return resp.WrapInfo, nil
2017-03-16 00:14:48 +00:00
}
2017-04-04 00:52:29 +00:00
feature: multiplexing support for database plugins (#14033) * feat: DB plugin multiplexing (#13734) * WIP: start from main and get a plugin runner from core * move MultiplexedClient map to plugin catalog - call sys.NewPluginClient from PluginFactory - updates to getPluginClient - thread through isMetadataMode * use go-plugin ClientProtocol interface - call sys.NewPluginClient from dbplugin.NewPluginClient * move PluginSets to dbplugin package - export dbplugin HandshakeConfig - small refactor of PluginCatalog.getPluginClient * add removeMultiplexedClient; clean up on Close() - call client.Kill from plugin catalog - set rpcClient when muxed client exists * add ID to dbplugin.DatabasePluginClient struct * only create one plugin process per plugin type * update NewPluginClient to return connection ID to sdk - wrap grpc.ClientConn so we can inject the ID into context - get ID from context on grpc server * add v6 multiplexing protocol version * WIP: backwards compat for db plugins * Ensure locking on plugin catalog access - Create public GetPluginClient method for plugin catalog - rename postgres db plugin * use the New constructor for db plugins * grpc server: use write lock for Close and rlock for CRUD * cleanup MultiplexedClients on Close * remove TODO * fix multiplexing regression with grpc server connection * cleanup grpc server instances on close * embed ClientProtocol in Multiplexer interface * use PluginClientConfig arg to make NewPluginClient plugin type agnostic * create a new plugin process for non-muxed plugins * feat: plugin multiplexing: handle plugin client cleanup (#13896) * use closure for plugin client cleanup * log and return errors; add comments * move rpcClient wrapping to core for ID injection * refactor core plugin client and sdk * remove unused ID method * refactor and only wrap clientConn on multiplexed plugins * rename structs and do not export types * Slight refactor of system view interface * Revert "Slight refactor of system view interface" This reverts commit 73d420e5cd2f0415e000c5a9284ea72a58016dd6. * Revert "Revert "Slight refactor of system view interface"" This reverts commit f75527008a1db06d04a23e04c3059674be8adb5f. * only provide pluginRunner arg to the internal newPluginClient method * embed ClientProtocol in pluginClient and name logger * Add back MLock support * remove enableMlock arg from setupPluginCatalog * rename plugin util interface to PluginClient Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> * feature: multiplexing: fix unit tests (#14007) * fix grpc_server tests and add coverage * update run_config tests * add happy path test case for grpc_server ID from context * update test helpers * feat: multiplexing: handle v5 plugin compiled with new sdk * add mux supported flag and increase test coverage * set multiplexingSupport field in plugin server * remove multiplexingSupport field in sdk * revert postgres to non-multiplexed * add comments on grpc server fields * use pointer receiver on grpc server methods * add changelog * use pointer for grpcserver instance * Use a gRPC server to determine if a plugin should be multiplexed * Apply suggestions from code review Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * add lock to removePluginClient * add multiplexingSupport field to externalPlugin struct * do not send nil to grpc MultiplexingSupport * check err before logging * handle locking scenario for cleanupFunc * allow ServeConfigMultiplex to dispense v5 plugin * reposition structs, add err check and comments * add comment on locking for cleanupExternalPlugin Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2022-02-17 14:50:33 +00:00
func (d dynamicSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) {
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.pluginCatalog == nil {
return nil, fmt.Errorf("system view core plugin catalog is nil")
}
c, err := d.core.pluginCatalog.NewPluginClient(ctx, config)
if err != nil {
return nil, err
}
return c, nil
}
2017-04-11 00:12:52 +00:00
// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
2018-11-07 01:21:24 +00:00
func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error) {
return d.LookupPluginVersion(ctx, name, pluginType, "")
}
// LookupPluginVersion looks for a plugin with the given name and version in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
func (d dynamicSystemView) LookupPluginVersion(ctx context.Context, name string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error) {
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.pluginCatalog == nil {
return nil, fmt.Errorf("system view core plugin catalog is nil")
}
r, err := d.core.pluginCatalog.Get(ctx, name, pluginType, version)
2017-04-25 01:31:27 +00:00
if err != nil {
return nil, err
}
if r == nil {
errContext := name
if version != "" {
errContext += fmt.Sprintf(", version=%s", version)
}
return nil, fmt.Errorf("%w: %s", ErrPluginNotFound, errContext)
2017-04-25 01:31:27 +00:00
}
return r, nil
2017-04-04 00:52:29 +00:00
}
2017-04-11 00:12:52 +00:00
// ListVersionedPlugins returns information about all plugins of a certain
// typein the catalog, including any versioning information stored for them.
func (d dynamicSystemView) ListVersionedPlugins(ctx context.Context, pluginType consts.PluginType) ([]pluginutil.VersionedPlugin, error) {
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.pluginCatalog == nil {
return nil, fmt.Errorf("system view core plugin catalog is nil")
}
return d.core.pluginCatalog.ListVersionedPlugins(ctx, pluginType)
}
2017-04-24 19:21:49 +00:00
// MlockEnabled returns the configuration setting for enabling mlock on plugins.
func (d dynamicSystemView) MlockEnabled() bool {
return d.core.enableMlock
2017-04-11 00:12:52 +00:00
}
func (d dynamicSystemView) EntityInfo(entityID string) (*logical.Entity, error) {
// Requests from token created from the token backend will not have entity information.
// Return missing entity instead of error when requesting from MemDB.
if entityID == "" {
return nil, nil
}
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.identityStore == nil {
return nil, fmt.Errorf("system view identity store is nil")
}
// Retrieve the entity from MemDB
entity, err := d.core.identityStore.MemDBEntityByID(entityID, false)
if err != nil {
return nil, err
}
if entity == nil {
return nil, nil
}
// Return a subset of the data
ret := &logical.Entity{
ID: entity.ID,
Name: entity.Name,
Disabled: entity.Disabled,
}
if entity.Metadata != nil {
ret.Metadata = make(map[string]string, len(entity.Metadata))
for k, v := range entity.Metadata {
ret.Metadata[k] = v
}
}
aliases := make([]*logical.Alias, 0, len(entity.Aliases))
for _, a := range entity.Aliases {
// Don't return aliases from other namespaces
if a.NamespaceID != d.mountEntry.NamespaceID {
continue
}
alias := identity.ToSDKAlias(a)
// MountType is not stored with the entity and must be looked up
if mount := d.core.router.ValidateMountByAccessor(a.MountAccessor); mount != nil {
alias.MountType = mount.MountType
}
aliases = append(aliases, alias)
}
ret.Aliases = aliases
return ret, nil
}
2018-08-03 16:32:17 +00:00
func (d dynamicSystemView) GroupsForEntity(entityID string) ([]*logical.Group, error) {
// Requests from token created from the token backend will not have entity information.
// Return missing entity instead of error when requesting from MemDB.
if entityID == "" {
return nil, nil
}
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.identityStore == nil {
return nil, fmt.Errorf("system view identity store is nil")
}
groups, inheritedGroups, err := d.core.identityStore.groupsByEntityID(entityID)
if err != nil {
return nil, err
}
groups = append(groups, inheritedGroups...)
logicalGroups := make([]*logical.Group, 0, len(groups))
for _, g := range groups {
// Don't return groups from other namespaces
if g.NamespaceID != d.mountEntry.NamespaceID {
continue
}
logicalGroups = append(logicalGroups, identity.ToSDKGroup(g))
}
return logicalGroups, nil
}
2018-08-03 16:32:17 +00:00
func (d dynamicSystemView) PluginEnv(_ context.Context) (*logical.PluginEnvironment, error) {
v := version.GetVersion()
2018-08-03 16:32:17 +00:00
return &logical.PluginEnvironment{
VaultVersion: v.Version,
VaultVersionPrerelease: v.VersionPrerelease,
VaultVersionMetadata: v.VersionMetadata,
2018-08-03 16:32:17 +00:00
}, nil
}
func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) {
if policyName == "" {
return "", fmt.Errorf("missing password policy name")
}
// Ensure there's a timeout on the context of some sort
if _, hasTimeout := ctx.Deadline(); !hasTimeout {
var cancel func()
ctx, cancel = context.WithTimeout(ctx, 1*time.Second)
defer cancel()
}
ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
if err != nil {
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
}
if policyCfg == nil {
return "", fmt.Errorf("no password policy found")
}
passPolicy, err := random.ParsePolicy(policyCfg.HCLPolicy)
if err != nil {
return "", fmt.Errorf("stored password policy is invalid: %w", err)
}
return passPolicy.Generate(ctx, nil)
}