open-vault/vault/expiration.go

407 lines
10 KiB
Go
Raw Normal View History

package vault
2015-03-13 17:55:54 +00:00
import (
"encoding/json"
"fmt"
2015-03-16 01:06:19 +00:00
"log"
"os"
2015-03-13 17:55:54 +00:00
"path"
"strings"
"sync"
2015-03-13 17:55:54 +00:00
"time"
"github.com/hashicorp/vault/logical"
2015-03-13 17:55:54 +00:00
)
2015-03-13 01:38:15 +00:00
const (
// expirationSubPath is the sub-path used for the expiration manager
// view. This is nested under the system view.
expirationSubPath = "expire/"
// maxRevokeAttempts limits how many revoke attempts are made
maxRevokeAttempts = 6
// revokeRetryBase is a baseline retry time
revokeRetryBase = 10 * time.Second
// minRevokeDelay is used to prevent an instant revoke on restore
minRevokeDelay = 5 * time.Second
)
// ExpirationManager is used by the Core to manage leases. Secrets
// can provide a lease, meaning that they can be renewed or revoked.
// If a secret is not renewed in timely manner, it may be expired, and
// the ExpirationManager will handle doing automatic revocation.
type ExpirationManager struct {
2015-03-16 01:06:19 +00:00
router *Router
view *BarrierView
logger *log.Logger
pending map[string]*time.Timer
pendingLock sync.Mutex
}
// NewExpirationManager creates a new ExpirationManager that is backed
2015-03-13 01:38:15 +00:00
// using a given view, and uses the provided router for revocation.
2015-03-16 01:06:19 +00:00
func NewExpirationManager(router *Router, view *BarrierView, logger *log.Logger) *ExpirationManager {
if logger == nil {
logger = log.New(os.Stderr, "", log.LstdFlags)
}
exp := &ExpirationManager{
2015-03-16 01:06:19 +00:00
router: router,
view: view,
logger: logger,
pending: make(map[string]*time.Timer),
}
return exp
}
// setupExpiration is invoked after we've loaded the mount table to
// initialize the expiration manager
func (c *Core) setupExpiration() error {
// Create a sub-view
view := c.systemView.SubView(expirationSubPath)
// Create the manager
2015-03-16 01:06:19 +00:00
mgr := NewExpirationManager(c.router, view, c.logger)
c.expiration = mgr
// Restore the existing state
if err := c.expiration.Restore(); err != nil {
return fmt.Errorf("expiration state restore failed: %v", err)
}
return nil
}
// stopExpiration is used to stop the expiration manager before
// sealing the Vault.
func (c *Core) stopExpiration() error {
if err := c.expiration.Stop(); err != nil {
return err
}
c.expiration = nil
return nil
}
// Restore is used to recover the lease states when starting.
// This is used after starting the vault.
func (m *ExpirationManager) Restore() error {
m.pendingLock.Lock()
defer m.pendingLock.Unlock()
// Accumulate existing leases
var existing []string
cb := func(path string) {
existing = append(existing, path)
}
// Scan for all the leases
if err := ScanView(m.view, cb); err != nil {
return fmt.Errorf("failed to scan for leases: %v", err)
}
// Restore each key
for _, vaultID := range existing {
// Load the entry
le, err := m.loadEntry(vaultID)
if err != nil {
return err
}
// If there is no entry, nothing to restore
if le == nil {
continue
}
// Determine the remaining time to expiration
expires := time.Now().UTC().Sub(le.ExpireTime)
if expires <= 0 {
expires = minRevokeDelay
}
// Setup revocation timer
m.pending[le.VaultID] = time.AfterFunc(expires, func() {
m.expireID(le.VaultID)
})
}
m.logger.Printf("[INFO] expire: restored %d leases", len(m.pending))
return nil
}
// Stop is used to prevent further automatic revocations.
// This must be called before sealing the view.
func (m *ExpirationManager) Stop() error {
2015-03-16 01:06:19 +00:00
// Stop all the pending expiration timers
m.pendingLock.Lock()
for _, timer := range m.pending {
timer.Stop()
}
2015-03-16 01:06:19 +00:00
m.pending = make(map[string]*time.Timer)
m.pendingLock.Unlock()
return nil
}
2015-03-13 01:38:15 +00:00
// Revoke is used to revoke a secret named by the given vaultID
func (m *ExpirationManager) Revoke(vaultID string) error {
// Load the entry
le, err := m.loadEntry(vaultID)
if err != nil {
return err
}
// If there is no entry, nothing to revoke
if le == nil {
return nil
}
// Revoke the entry
if err := m.revokeEntry(le); err != nil {
return err
}
// Delete the entry
if err := m.deleteEntry(vaultID); err != nil {
return err
}
// Clear the expiration handler
m.pendingLock.Lock()
if timer, ok := m.pending[vaultID]; ok {
timer.Stop()
delete(m.pending, vaultID)
}
m.pendingLock.Unlock()
2015-03-13 01:38:15 +00:00
return nil
}
// RevokePrefix is used to revoke all secrets with a given prefix.
// The prefix maps to that of the mount table to make this simpler
// to reason about.
func (m *ExpirationManager) RevokePrefix(prefix string) error {
// Accumulate existing leases
var existing []string
cb := func(path string) {
existing = append(existing, path)
}
// Ensure there is a trailing slash
if !strings.HasSuffix(prefix, "/") {
prefix = prefix + "/"
}
// Scan for all the leases in the prefix
if err := ScanView(m.view.SubView(prefix), cb); err != nil {
return fmt.Errorf("failed to scan for leases: %v", err)
}
// Revoke all the keys
for idx, vaultID := range existing {
if err := m.Revoke(vaultID); err != nil {
return fmt.Errorf("failed to revoke '%s' (%d / %d): %v",
vaultID, idx+1, len(existing), err)
}
}
2015-03-13 01:38:15 +00:00
return nil
}
// Renew is used to renew a secret using the given vaultID
// and a renew interval. The increment may be ignored.
func (m *ExpirationManager) Renew(vaultID string, increment time.Duration) (*logical.Lease, error) {
// Load the entry
le, err := m.loadEntry(vaultID)
if err != nil {
return nil, err
}
// If there is no entry, cannot review
if le == nil {
return nil, fmt.Errorf("lease not found")
}
// Determine the remaining lease time
end := le.IssueTime.Add(le.Lease.MaxDuration)
now := time.Now().UTC()
remain := end.Sub(now)
if remain < 0 {
return nil, fmt.Errorf("lease expired")
}
// Set the default increment if none provided
if increment == 0 {
increment = le.Lease.Duration
}
// Determine the maximum lease renew
if increment > le.Lease.MaxIncrement && le.Lease.MaxIncrement != 0 {
increment = le.Lease.MaxIncrement
}
if increment > remain {
increment = remain
}
// Update the lease entry
le.ExpireTime = now.Add(increment)
if err := m.persistEntry(le); err != nil {
return nil, err
}
// Update the expiration time
m.pendingLock.Lock()
if timer, ok := m.pending[vaultID]; ok {
timer.Reset(increment)
}
m.pendingLock.Unlock()
// Return a new lease with updated durations
lease := new(logical.Lease)
*lease = *le.Lease
lease.Duration = increment
lease.MaxDuration = remain
return lease, nil
2015-03-13 01:38:15 +00:00
}
// Register is used to take a request and response with an associated
// lease. The secret gets assigned a vaultId and the management of
// of lease is assumed by the expiration manager.
func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error) {
2015-03-13 17:55:54 +00:00
// Ignore if there is no lease
if resp == nil || resp.Lease == nil {
return "", nil
}
// Validate the lease
if err := resp.Lease.Validate(); err != nil {
return "", err
}
// Cannot register a non-secret (e.g. a policy or configuration key)
if !resp.IsSecret {
return "", fmt.Errorf("cannot attach lease to non-secret")
}
// Create a lease entry
2015-03-13 18:37:07 +00:00
now := time.Now().UTC()
2015-03-13 17:55:54 +00:00
le := leaseEntry{
VaultID: path.Join(req.Path, generateUUID()),
Path: req.Path,
Data: resp.Data,
Lease: resp.Lease,
IssueTime: now,
ExpireTime: now.Add(resp.Lease.Duration),
2015-03-13 17:55:54 +00:00
}
2015-03-16 01:06:19 +00:00
// Encode the entry
if err := m.persistEntry(&le); err != nil {
return "", err
}
// Setup revocation timer
m.pendingLock.Lock()
m.pending[le.VaultID] = time.AfterFunc(resp.Lease.Duration, func() {
2015-03-16 01:06:19 +00:00
m.expireID(le.VaultID)
})
m.pendingLock.Unlock()
// Done
return le.VaultID, nil
}
// expireID is invoked when a given ID is expired
func (m *ExpirationManager) expireID(vaultID string) {
// Clear from the pending expiration
m.pendingLock.Lock()
delete(m.pending, vaultID)
m.pendingLock.Unlock()
for attempt := uint(0); attempt < maxRevokeAttempts; attempt++ {
err := m.Revoke(vaultID)
if err == nil {
m.logger.Printf("[INFO] expire: revoked '%s'", vaultID)
return
}
m.logger.Printf("[ERR] expire: failed to revoke '%s': %v", vaultID, err)
time.Sleep((1 << attempt) * revokeRetryBase)
2015-03-16 01:06:19 +00:00
}
m.logger.Printf("[ERR] expire: maximum revoke attempts for '%s' reached", vaultID)
2015-03-16 01:06:19 +00:00
}
// revokeEntry is used to attempt revocation of an internal entry
func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
2015-03-16 02:38:23 +00:00
req := &logical.Request{
Operation: logical.RevokeOperation,
2015-03-16 01:06:19 +00:00
Path: le.Path,
Data: le.Data,
}
_, err := m.router.Route(req)
if err != nil {
return fmt.Errorf("failed to revoke entry: %v", err)
}
return nil
2015-03-16 01:06:19 +00:00
}
// loadEntry is used to read a lease entry
func (m *ExpirationManager) loadEntry(vaultID string) (*leaseEntry, error) {
out, err := m.view.Get(vaultID)
if err != nil {
return nil, fmt.Errorf("failed to read lease entry: %v", err)
}
if out == nil {
return nil, nil
}
le, err := decodeLeaseEntry(out.Value)
if err != nil {
return nil, fmt.Errorf("failed to decode lease entry: %v", err)
}
return le, nil
}
// persistEntry is used to persist a lease entry
func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
2015-03-13 17:55:54 +00:00
// Encode the entry
buf, err := le.encode()
if err != nil {
2015-03-16 01:06:19 +00:00
return fmt.Errorf("failed to encode lease entry: %v", err)
2015-03-13 17:55:54 +00:00
}
// Write out to the view
ent := logical.StorageEntry{
2015-03-13 17:55:54 +00:00
Key: le.VaultID,
Value: buf,
}
if err := m.view.Put(&ent); err != nil {
2015-03-16 01:06:19 +00:00
return fmt.Errorf("failed to persist lease entry: %v", err)
2015-03-13 17:55:54 +00:00
}
2015-03-16 01:06:19 +00:00
return nil
}
2015-03-13 17:55:54 +00:00
2015-03-16 01:06:19 +00:00
// deleteEntry is used to delete a lease entry
func (m *ExpirationManager) deleteEntry(vaultID string) error {
if err := m.view.Delete(vaultID); err != nil {
return fmt.Errorf("failed to delete lease entry: %v", err)
}
return nil
2015-03-13 17:55:54 +00:00
}
// leaseEntry is used to structure the values the expiration
// manager stores. This is used to handle renew and revocation.
type leaseEntry struct {
VaultID string `json:"vault_id"`
Path string `json:"path"`
Data map[string]interface{} `json:"data"`
Lease *logical.Lease `json:"lease"`
IssueTime time.Time `json:"issue_time"`
ExpireTime time.Time `json:"expire_time"`
2015-03-13 17:55:54 +00:00
}
// encode is used to JSON encode the lease entry
func (l *leaseEntry) encode() ([]byte, error) {
return json.Marshal(l)
}
// decodeLeaseEntry is used to reverse encode and return a new entry
func decodeLeaseEntry(buf []byte) (*leaseEntry, error) {
out := new(leaseEntry)
return out, json.Unmarshal(buf, out)
2015-03-13 01:38:15 +00:00
}