luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/dynamic_system_view.go

388 lines
11 KiB
Go
Raw Normal View History

Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
package vault
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others).
2016-01-07 20:10:05 +00:00
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
return a 404 when no plugin is found
2017-04-25 01:31:27 +00:00
"fmt"
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others).
2016-01-07 20:10:05 +00:00
"time"
Add identity templating helper to sdk/framework (#8088) * Add identity templating helper to sdk/framework * Cleanup a bit * Fix length issue when groups/aliases are filtered due to ns * review feedback
2020-01-06 18:16:52 +00:00
"github.com/hashicorp/vault/helper/identity"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/helper/namespace"
Move sdk/helper/random -> helper/random (#9226) * This package is new for 1.5 so this is not a breaking change. * This is being moved because this code was originally intended to be used within plugins, however the design of password policies has changed such that this is no longer needed. Thus, this code doesn't need to be in the public SDK.
2020-06-17 20:24:38 +00:00
"github.com/hashicorp/vault/helper/random"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/license"
"github.com/hashicorp/vault/sdk/helper/pluginutil"
"github.com/hashicorp/vault/sdk/helper/wrapping"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/version"
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others).
2016-01-07 20:10:05 +00:00
)
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
core: add generic request forwarding bits to oss (#6866)
2019-06-11 20:13:03 +00:00
type ctxKeyForwardedRequestMountAccessor struct{}
func (c ctxKeyForwardedRequestMountAccessor) String() string {
return "forwarded-req-mount-accessor"
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
type dynamicSystemView struct {
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views
2015-09-10 02:17:49 +00:00
core *Core
mountEntry *MountEntry
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
}
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
type extendedSystemView interface {
logical.SystemView
logical.ExtendedSystemView
// SudoPrivilege won't work over the plugin system so we keep it here
// instead of in sdk/logical to avoid exposing to plugins
SudoPrivilege(context.Context, string, string) bool
}
type extendedSystemViewImpl struct {
Allow plugins to submit audit requests/responses via extended SystemView (#6777) Move audit.LogInput to sdk/logical. Allow the Data values in audited logical.Request and Response to implement OptMarshaler, in which case we delegate hashing/serializing responsibility to them. Add new ClientCertificateSerialNumber audit request field. SystemView can now be cast to ExtendedSystemView to expose the Auditor interface, which allows submitting requests and responses to the audit broker.
2019-05-22 22:52:53 +00:00
dynamicSystemView
}
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
func (e extendedSystemViewImpl) Auditor() logical.Auditor {
Allow plugins to submit audit requests/responses via extended SystemView (#6777) Move audit.LogInput to sdk/logical. Allow the Data values in audited logical.Request and Response to implement OptMarshaler, in which case we delegate hashing/serializing responsibility to them. Add new ClientCertificateSerialNumber audit request field. SystemView can now be cast to ExtendedSystemView to expose the Auditor interface, which allows submitting requests and responses to the audit broker.
2019-05-22 22:52:53 +00:00
return genericAuditor{
mountType: e.mountEntry.Type,
namespace: e.mountEntry.Namespace(),
c: e.core,
}
}
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
func (e extendedSystemViewImpl) ForwardGenericRequest(ctx context.Context, req *logical.Request) (*logical.Response, error) {
core: add generic request forwarding bits to oss (#6866)
2019-06-11 20:13:03 +00:00
// Forward the request if allowed
if couldForward(e.core) {
ctx = namespace.ContextWithNamespace(ctx, e.mountEntry.Namespace())
OSS parts of the new client controlled consistency feature (#10974)
2021-02-24 11:58:10 +00:00
ctx = logical.IndexStateContext(ctx, &logical.WALState{})
core: add generic request forwarding bits to oss (#6866)
2019-06-11 20:13:03 +00:00
ctx = context.WithValue(ctx, ctxKeyForwardedRequestMountAccessor{}, e.mountEntry.Accessor)
return forward(ctx, e.core, req)
}
return nil, logical.ErrReadOnly
}
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
// SudoPrivilege returns true if given path has sudo privileges
// for the given client token
func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string, token string) bool {
Take ClientToken instead of Policies
2015-09-21 14:04:03 +00:00
// Resolve the token policy
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
te, err := e.core.tokenStore.Lookup(ctx, token)
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-18 23:59:06 +00:00
if err != nil {
Vault-2257: don't log token error on DR Secondary (#13137) * don't log token error on DR Secondary * stop gauge collector expiration errors on dr secondary * don't check dr secondary for token create * see if CI hits panic * Revert "don't check dr secondary for token create" This reverts commit c036a1a544d3a20d29d046f1ee239ab1563ce4d9. * don't check dr secondary for token create * Revert "see if CI hits panic" This reverts commit 1e15aa535cac6e4d1684aaf47c8746c094068eb8. * remove condition on log
2021-11-17 16:21:54 +00:00
e.core.logger.Error("failed to lookup sudo token", "error", err)
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-18 23:59:06 +00:00
return false
}
Take ClientToken instead of Policies
2015-09-21 14:04:03 +00:00
// Ensure the token is valid
if te == nil {
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
e.core.logger.Error("entry not found for given token")
Take ClientToken instead of Policies
2015-09-21 14:04:03 +00:00
return false
}
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
policyNames := make(map[string][]string)
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Add token policies
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
policyNames[te.NamespaceID] = append(policyNames[te.NamespaceID], te.Policies...)
The big one (#5346)
2018-09-18 03:03:00 +00:00
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
tokenNS, err := NamespaceByID(ctx, te.NamespaceID, e.core)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
e.core.logger.Error("failed to lookup token namespace", "error", err)
The big one (#5346)
2018-09-18 03:03:00 +00:00
return false
}
if tokenNS == nil {
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
e.core.logger.Error("failed to lookup token namespace", "error", namespace.ErrNoNamespace)
The big one (#5346)
2018-09-18 03:03:00 +00:00
return false
}
// Add identity policies from all the namespaces
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
entity, identityPolicies, err := e.core.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
ACL Templating (#4994) * Initial work on templating * Add check for unbalanced closing in front * Add missing templated assignment * Add first cut of end-to-end test on templating. * Make template errors be 403s and finish up testing * Review feedback
2018-08-15 18:42:56 +00:00
if err != nil {
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
e.core.logger.Error("failed to fetch identity policies", "error", err)
ACL Templating (#4994) * Initial work on templating * Add check for unbalanced closing in front * Add missing templated assignment * Add first cut of end-to-end test on templating. * Make template errors be 403s and finish up testing * Review feedback
2018-08-15 18:42:56 +00:00
return false
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
for nsID, nsPolicies := range identityPolicies {
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
The big one (#5346)
2018-09-18 03:03:00 +00:00
}
ACL Templating (#4994) * Initial work on templating * Add check for unbalanced closing in front * Add missing templated assignment * Add first cut of end-to-end test on templating. * Make template errors be 403s and finish up testing * Review feedback
2018-08-15 18:42:56 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
// Add the inline policy if it's set
policies := make([]*Policy, 0)
if te.InlinePolicy != "" {
inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
if err != nil {
e.core.logger.Error("failed to parse the token's inline policy", "error", err)
return false
}
policies = append(policies, inlinePolicy)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Construct the corresponding ACL object. Derive and use a new context that
// uses the req.ClientToken's namespace
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 17:36:22 +00:00
acl, err := e.core.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
Take ClientToken instead of Policies
2015-09-21 14:04:03 +00:00
if err != nil {
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
e.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
Take ClientToken instead of Policies
2015-09-21 14:04:03 +00:00
return false
}
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others).
2016-01-07 20:10:05 +00:00
// The operation type isn't important here as this is run from a path the
// user has already been given access to; we only care about whether they
Fix create token sudo non-root namespace check (#7224) * Fix create token sudo non-root namespace check * Moved path trimming to SudoPrivilege * Changed to tokenCtx instead of request ctx * Use root context for AllowOperation; details in comment
2019-08-05 20:03:47 +00:00
// have sudo. Note that we use root context because the path that comes in
// must be fully-qualified already so we don't want AllowOperation to
// prepend a namespace prefix onto it.
Format dynamic_system_view.go
2017-01-20 00:54:08 +00:00
req := new(logical.Request)
req.Operation = logical.ReadOperation
req.Path = path
Fix create token sudo non-root namespace check (#7224) * Fix create token sudo non-root namespace check * Moved path trimming to SudoPrivilege * Changed to tokenCtx instead of request ctx * Use root context for AllowOperation; details in comment
2019-08-05 20:03:47 +00:00
authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
Sync over
2017-10-23 20:03:36 +00:00
return authResults.RootPrivs
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-18 23:59:06 +00:00
}
Move SudoPrivilege out of SystemView (#7266) * Move SudoPrivilege out of SystemView We only use this in token store and it literally doesn't work anything that isn't the token store or system mount, so we should stop exposing something that doesn't work. * Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 14:23:46 +00:00
func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
def, _ := d.fetchTTLs()
return def
}
func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
_, max := d.fetchTTLs()
return max
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
Remove error returns from sysview TTL calls
2015-09-10 19:09:34 +00:00
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
def = d.core.defaultLeaseTTL
max = d.core.maxLeaseTTL
The big one (#5346)
2018-09-18 03:03:00 +00:00
if d.mountEntry != nil {
if d.mountEntry.Config.DefaultLeaseTTL != 0 {
def = d.mountEntry.Config.DefaultLeaseTTL
}
if d.mountEntry.Config.MaxLeaseTTL != 0 {
max = d.mountEntry.Config.MaxLeaseTTL
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
}
return
}
Allow backends to see taint status. This can be seen via System(). In the PKI backend, if the CA is reconfigured but not fully (e.g. an intermediate CSR is generated but no corresponding cert set) and there are already leases (issued certs), the CRL is unable to be built. As a result revocation fails. But in this case we don't actually need revocation to be successful since the CRL is useless after unmounting. By checking taint status we know if we can simply fast-path out of revocation with a success in this case. Fixes #946
2016-01-22 22:01:22 +00:00
// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
return d.mountEntry.Tainted
}
Plumb disabling caches through the policy store
2016-04-21 13:52:42 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
Plumb disabling caches through the policy store
2016-04-21 13:52:42 +00:00
}
Rejig dynamic system view to build without tags
2017-01-12 20:13:47 +00:00
Add a sysview call to determine if a mount is local. (#3899) This is useful for deciding when to run upgrade logic, e.g. if on a performance secondary but local it's fine to run.
2018-02-02 23:17:12 +00:00
func (d dynamicSystemView) LocalMount() bool {
return d.mountEntry != nil && d.mountEntry.Local
}
Update locking components from DR replication changes (#3283) * Update locking components from DR replication changes * Fix plugin backend test * Add a comment about needing the statelock:
2017-09-04 23:38:37 +00:00
// Checks if this is a primary Vault instance. Caller should hold the stateLock
// in read mode.
Move ReplicationState to consts
2017-02-16 18:37:21 +00:00
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
The big one (#5346)
2018-09-18 03:03:00 +00:00
state := d.core.ReplicationState()
if d.core.perfStandby {
state |= consts.ReplicationPerformanceStandby
}
return state
}
func (d dynamicSystemView) HasFeature(feature license.Features) bool {
return d.core.HasFeature(feature)
Rejig dynamic system view to build without tags
2017-01-12 20:13:47 +00:00
}
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
req := &logical.Request{
Operation: logical.CreateOperation,
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
Path: "sys/wrapping/wrap",
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
}
resp := &logical.Response{
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
WrapInfo: &wrapping.ResponseWrapInfo{
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
TTL: ttl,
},
Data: data,
}
if jwt {
resp.WrapInfo.Format = "jwt"
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
if err != nil {
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
return nil, err
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
}
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
return resp.WrapInfo, nil
Work on TLS communication over plugins
2017-03-16 00:14:48 +00:00
}
Plugin catalog
2017-04-04 00:52:29 +00:00
feature: multiplexing support for database plugins (#14033) * feat: DB plugin multiplexing (#13734) * WIP: start from main and get a plugin runner from core * move MultiplexedClient map to plugin catalog - call sys.NewPluginClient from PluginFactory - updates to getPluginClient - thread through isMetadataMode * use go-plugin ClientProtocol interface - call sys.NewPluginClient from dbplugin.NewPluginClient * move PluginSets to dbplugin package - export dbplugin HandshakeConfig - small refactor of PluginCatalog.getPluginClient * add removeMultiplexedClient; clean up on Close() - call client.Kill from plugin catalog - set rpcClient when muxed client exists * add ID to dbplugin.DatabasePluginClient struct * only create one plugin process per plugin type * update NewPluginClient to return connection ID to sdk - wrap grpc.ClientConn so we can inject the ID into context - get ID from context on grpc server * add v6 multiplexing protocol version * WIP: backwards compat for db plugins * Ensure locking on plugin catalog access - Create public GetPluginClient method for plugin catalog - rename postgres db plugin * use the New constructor for db plugins * grpc server: use write lock for Close and rlock for CRUD * cleanup MultiplexedClients on Close * remove TODO * fix multiplexing regression with grpc server connection * cleanup grpc server instances on close * embed ClientProtocol in Multiplexer interface * use PluginClientConfig arg to make NewPluginClient plugin type agnostic * create a new plugin process for non-muxed plugins * feat: plugin multiplexing: handle plugin client cleanup (#13896) * use closure for plugin client cleanup * log and return errors; add comments * move rpcClient wrapping to core for ID injection * refactor core plugin client and sdk * remove unused ID method * refactor and only wrap clientConn on multiplexed plugins * rename structs and do not export types * Slight refactor of system view interface * Revert "Slight refactor of system view interface" This reverts commit 73d420e5cd2f0415e000c5a9284ea72a58016dd6. * Revert "Revert "Slight refactor of system view interface"" This reverts commit f75527008a1db06d04a23e04c3059674be8adb5f. * only provide pluginRunner arg to the internal newPluginClient method * embed ClientProtocol in pluginClient and name logger * Add back MLock support * remove enableMlock arg from setupPluginCatalog * rename plugin util interface to PluginClient Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> * feature: multiplexing: fix unit tests (#14007) * fix grpc_server tests and add coverage * update run_config tests * add happy path test case for grpc_server ID from context * update test helpers * feat: multiplexing: handle v5 plugin compiled with new sdk * add mux supported flag and increase test coverage * set multiplexingSupport field in plugin server * remove multiplexingSupport field in sdk * revert postgres to non-multiplexed * add comments on grpc server fields * use pointer receiver on grpc server methods * add changelog * use pointer for grpcserver instance * Use a gRPC server to determine if a plugin should be multiplexed * Apply suggestions from code review Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * add lock to removePluginClient * add multiplexingSupport field to externalPlugin struct * do not send nil to grpc MultiplexingSupport * check err before logging * handle locking scenario for cleanupFunc * allow ServeConfigMultiplex to dispense v5 plugin * reposition structs, add err check and comments * add comment on locking for cleanupExternalPlugin Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2022-02-17 14:50:33 +00:00
func (d dynamicSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) {
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.pluginCatalog == nil {
return nil, fmt.Errorf("system view core plugin catalog is nil")
}
c, err := d.core.pluginCatalog.NewPluginClient(ctx, config)
if err != nil {
return nil, err
}
return c, nil
}
Mlock the plugin process
2017-04-11 00:12:52 +00:00
// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error) {
Add plugin auto-reload capability (#3171) * Add automatic plugin reload * Refactor builtin/backend * Remove plugin reload at the core level * Refactor plugin tests * Add auto-reload test case * Change backend to use sync.RWMutex, fix dangling test plugin processes * Add a canary to plugin backends to avoid reloading many times (#3174) * Call setupPluginCatalog before mount-related operations in postUnseal * Don't create multiple system backends since core only holds a reference (#3176) to one.
2017-08-16 02:10:32 +00:00
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.pluginCatalog == nil {
return nil, fmt.Errorf("system view core plugin catalog is nil")
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
r, err := d.core.pluginCatalog.Get(ctx, name, pluginType)
return a 404 when no plugin is found
2017-04-25 01:31:27 +00:00
if err != nil {
return nil, err
}
if r == nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 17:12:54 +00:00
return nil, fmt.Errorf("%w: %s", ErrPluginNotFound, name)
return a 404 when no plugin is found
2017-04-25 01:31:27 +00:00
}
return r, nil
Plugin catalog
2017-04-04 00:52:29 +00:00
}
Mlock the plugin process
2017-04-11 00:12:52 +00:00
Change MlockDisabled to MlockEnabled
2017-04-24 19:21:49 +00:00
// MlockEnabled returns the configuration setting for enabling mlock on plugins.
func (d dynamicSystemView) MlockEnabled() bool {
return d.core.enableMlock
Mlock the plugin process
2017-04-11 00:12:52 +00:00
}
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
func (d dynamicSystemView) EntityInfo(entityID string) (*logical.Entity, error) {
// Requests from token created from the token backend will not have entity information.
// Return missing entity instead of error when requesting from MemDB.
if entityID == "" {
return nil, nil
}
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.identityStore == nil {
return nil, fmt.Errorf("system view identity store is nil")
}
// Retrieve the entity from MemDB
entity, err := d.core.identityStore.MemDBEntityByID(entityID, false)
if err != nil {
return nil, err
}
if entity == nil {
return nil, nil
}
Pass identity metadata through to plugins (#4967) It's not obvious why this should be secret, and if it were considered secret, when and what anything would ever be allowed to access it. Likely the right way to tie secret values to particular entities/aliases/groups would be to use the upcoming templated ACL feature.
2018-07-23 16:45:06 +00:00
// Return a subset of the data
ret := &logical.Entity{
Allow logical backends access to the disabled state of an entity (#6791) * Allow logical backends access to the disabled state of an entity via SystemView.EntityInfo(). * Add generated file in vendor directory.
2019-05-28 21:31:50 +00:00
ID: entity.ID,
Name: entity.Name,
Disabled: entity.Disabled,
Pass identity metadata through to plugins (#4967) It's not obvious why this should be secret, and if it were considered secret, when and what anything would ever be allowed to access it. Likely the right way to tie secret values to particular entities/aliases/groups would be to use the upcoming templated ACL feature.
2018-07-23 16:45:06 +00:00
}
if entity.Metadata != nil {
ret.Metadata = make(map[string]string, len(entity.Metadata))
for k, v := range entity.Metadata {
ret.Metadata[k] = v
}
}
Add identity templating helper to sdk/framework (#8088) * Add identity templating helper to sdk/framework * Cleanup a bit * Fix length issue when groups/aliases are filtered due to ns * review feedback
2020-01-06 18:16:52 +00:00
aliases := make([]*logical.Alias, 0, len(entity.Aliases))
for _, a := range entity.Aliases {
// Don't return aliases from other namespaces
if a.NamespaceID != d.mountEntry.NamespaceID {
continue
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
}
Add identity templating helper to sdk/framework (#8088) * Add identity templating helper to sdk/framework * Cleanup a bit * Fix length issue when groups/aliases are filtered due to ns * review feedback
2020-01-06 18:16:52 +00:00
alias := identity.ToSDKAlias(a)
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
// MountType is not stored with the entity and must be looked up
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461)
2021-08-30 19:31:11 +00:00
if mount := d.core.router.ValidateMountByAccessor(a.MountAccessor); mount != nil {
Pass identity metadata through to plugins (#4967) It's not obvious why this should be secret, and if it were considered secret, when and what anything would ever be allowed to access it. Likely the right way to tie secret values to particular entities/aliases/groups would be to use the upcoming templated ACL feature.
2018-07-23 16:45:06 +00:00
alias.MountType = mount.MountType
}
Add identity templating helper to sdk/framework (#8088) * Add identity templating helper to sdk/framework * Cleanup a bit * Fix length issue when groups/aliases are filtered due to ns * review feedback
2020-01-06 18:16:52 +00:00
aliases = append(aliases, alias)
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
}
Pass identity metadata through to plugins (#4967) It's not obvious why this should be secret, and if it were considered secret, when and what anything would ever be allowed to access it. Likely the right way to tie secret values to particular entities/aliases/groups would be to use the upcoming templated ACL feature.
2018-07-23 16:45:06 +00:00
ret.Aliases = aliases
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
Pass identity metadata through to plugins (#4967) It's not obvious why this should be secret, and if it were considered secret, when and what anything would ever be allowed to access it. Likely the right way to tie secret values to particular entities/aliases/groups would be to use the upcoming templated ACL feature.
2018-07-23 16:45:06 +00:00
return ret, nil
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments
2018-06-04 00:48:12 +00:00
}
Add PluginEnv to SystemView (#5028)
2018-08-03 16:32:17 +00:00
Add identity templating helper to sdk/framework (#8088) * Add identity templating helper to sdk/framework * Cleanup a bit * Fix length issue when groups/aliases are filtered due to ns * review feedback
2020-01-06 18:16:52 +00:00
func (d dynamicSystemView) GroupsForEntity(entityID string) ([]*logical.Group, error) {
// Requests from token created from the token backend will not have entity information.
// Return missing entity instead of error when requesting from MemDB.
if entityID == "" {
return nil, nil
}
if d.core == nil {
return nil, fmt.Errorf("system view core is nil")
}
if d.core.identityStore == nil {
return nil, fmt.Errorf("system view identity store is nil")
}
groups, inheritedGroups, err := d.core.identityStore.groupsByEntityID(entityID)
if err != nil {
return nil, err
}
groups = append(groups, inheritedGroups...)
logicalGroups := make([]*logical.Group, 0, len(groups))
for _, g := range groups {
// Don't return groups from other namespaces
if g.NamespaceID != d.mountEntry.NamespaceID {
continue
}
logicalGroups = append(logicalGroups, identity.ToSDKGroup(g))
}
return logicalGroups, nil
}
Add PluginEnv to SystemView (#5028)
2018-08-03 16:32:17 +00:00
func (d dynamicSystemView) PluginEnv(_ context.Context) (*logical.PluginEnvironment, error) {
return &logical.PluginEnvironment{
VaultVersion: version.GetVersion().Version,
}, nil
}
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) {
if policyName == "" {
return "", fmt.Errorf("missing password policy name")
}
// Ensure there's a timeout on the context of some sort
if _, hasTimeout := ctx.Deadline(); !hasTimeout {
var cancel func()
core: updates to password policy generator (#11596) * core: fix bug in password policies not using namespaces * Add changelog
2021-05-13 13:55:46 +00:00
ctx, cancel = context.WithTimeout(ctx, 1*time.Second)
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
defer cancel()
}
core: set namespace within GeneratePasswordFromPolicy (#12635) * core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy * test: update TestDynamicSystemView to be ns-aware, update tests * add changelog entry
2021-09-27 16:08:07 +00:00
ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())
core: updates to password policy generator (#11596) * core: fix bug in password policies not using namespaces * Add changelog
2021-05-13 13:55:46 +00:00
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
if err != nil {
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
}
if policyCfg == nil {
return "", fmt.Errorf("no password policy found")
}
passPolicy, err := random.ParsePolicy(policyCfg.HCLPolicy)
if err != nil {
return "", fmt.Errorf("stored password policy is invalid: %w", err)
}
return passPolicy.Generate(ctx, nil)
}