2015-03-12 19:44:22 +00:00
|
|
|
package vault
|
|
|
|
|
2015-03-13 17:55:54 +00:00
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2015-03-16 01:06:19 +00:00
|
|
|
"log"
|
|
|
|
"os"
|
2015-03-13 17:55:54 +00:00
|
|
|
"path"
|
2015-03-16 18:33:59 +00:00
|
|
|
"strings"
|
2015-03-13 18:31:43 +00:00
|
|
|
"sync"
|
2015-03-13 17:55:54 +00:00
|
|
|
"time"
|
2015-03-15 20:52:43 +00:00
|
|
|
|
2015-04-08 23:43:17 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2015-12-16 17:56:20 +00:00
|
|
|
"github.com/hashicorp/go-uuid"
|
2015-03-15 20:52:43 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
2015-03-13 17:55:54 +00:00
|
|
|
)
|
2015-03-13 01:38:15 +00:00
|
|
|
|
2015-03-12 19:44:22 +00:00
|
|
|
const (
|
|
|
|
// expirationSubPath is the sub-path used for the expiration manager
|
|
|
|
// view. This is nested under the system view.
|
|
|
|
expirationSubPath = "expire/"
|
2015-03-16 18:33:59 +00:00
|
|
|
|
2015-04-10 21:21:23 +00:00
|
|
|
// leaseViewPrefix is the prefix used for the ID based lookup of leases.
|
|
|
|
leaseViewPrefix = "id/"
|
|
|
|
|
|
|
|
// tokenViewPrefix is the prefix used for the token based lookup of leases.
|
|
|
|
tokenViewPrefix = "token/"
|
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
// maxRevokeAttempts limits how many revoke attempts are made
|
|
|
|
maxRevokeAttempts = 6
|
|
|
|
|
|
|
|
// revokeRetryBase is a baseline retry time
|
|
|
|
revokeRetryBase = 10 * time.Second
|
|
|
|
|
|
|
|
// minRevokeDelay is used to prevent an instant revoke on restore
|
|
|
|
minRevokeDelay = 5 * time.Second
|
2015-04-03 00:45:42 +00:00
|
|
|
|
2015-07-30 13:42:49 +00:00
|
|
|
// maxLeaseDuration is the default maximum lease duration
|
2015-08-27 14:50:16 +00:00
|
|
|
maxLeaseTTL = 30 * 24 * time.Hour
|
2015-04-03 00:45:42 +00:00
|
|
|
|
2015-07-30 13:42:49 +00:00
|
|
|
// defaultLeaseDuration is the default lease duration used when no lease is specified
|
2015-08-27 14:50:16 +00:00
|
|
|
defaultLeaseTTL = maxLeaseTTL
|
2015-03-12 19:44:22 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// ExpirationManager is used by the Core to manage leases. Secrets
|
|
|
|
// can provide a lease, meaning that they can be renewed or revoked.
|
|
|
|
// If a secret is not renewed in timely manner, it may be expired, and
|
|
|
|
// the ExpirationManager will handle doing automatic revocation.
|
|
|
|
type ExpirationManager struct {
|
2015-03-24 01:00:14 +00:00
|
|
|
router *Router
|
2015-04-10 21:21:23 +00:00
|
|
|
idView *BarrierView
|
|
|
|
tokenView *BarrierView
|
2015-03-24 01:00:14 +00:00
|
|
|
tokenStore *TokenStore
|
|
|
|
logger *log.Logger
|
2015-03-16 01:06:19 +00:00
|
|
|
|
|
|
|
pending map[string]*time.Timer
|
2015-03-16 18:33:59 +00:00
|
|
|
pendingLock sync.Mutex
|
2015-03-12 19:44:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewExpirationManager creates a new ExpirationManager that is backed
|
2015-03-13 01:38:15 +00:00
|
|
|
// using a given view, and uses the provided router for revocation.
|
2015-03-24 01:00:14 +00:00
|
|
|
func NewExpirationManager(router *Router, view *BarrierView, ts *TokenStore, logger *log.Logger) *ExpirationManager {
|
2015-03-16 01:06:19 +00:00
|
|
|
if logger == nil {
|
|
|
|
logger = log.New(os.Stderr, "", log.LstdFlags)
|
|
|
|
}
|
2015-03-12 19:44:22 +00:00
|
|
|
exp := &ExpirationManager{
|
2015-03-24 01:00:14 +00:00
|
|
|
router: router,
|
2015-04-10 21:21:23 +00:00
|
|
|
idView: view.SubView(leaseViewPrefix),
|
|
|
|
tokenView: view.SubView(tokenViewPrefix),
|
2015-03-24 01:00:14 +00:00
|
|
|
tokenStore: ts,
|
|
|
|
logger: logger,
|
|
|
|
pending: make(map[string]*time.Timer),
|
2015-03-12 19:44:22 +00:00
|
|
|
}
|
|
|
|
return exp
|
|
|
|
}
|
|
|
|
|
|
|
|
// setupExpiration is invoked after we've loaded the mount table to
|
|
|
|
// initialize the expiration manager
|
|
|
|
func (c *Core) setupExpiration() error {
|
2015-10-12 20:33:54 +00:00
|
|
|
c.metricsMutex.Lock()
|
|
|
|
defer c.metricsMutex.Unlock()
|
2015-03-12 19:44:22 +00:00
|
|
|
// Create a sub-view
|
2015-09-04 20:58:12 +00:00
|
|
|
view := c.systemBarrierView.SubView(expirationSubPath)
|
2015-03-12 19:44:22 +00:00
|
|
|
|
|
|
|
// Create the manager
|
2015-03-24 01:00:14 +00:00
|
|
|
mgr := NewExpirationManager(c.router, view, c.tokenStore, c.logger)
|
2015-03-12 19:44:22 +00:00
|
|
|
c.expiration = mgr
|
2015-03-13 18:20:36 +00:00
|
|
|
|
2015-04-03 18:40:08 +00:00
|
|
|
// Link the token store to this
|
|
|
|
c.tokenStore.SetExpirationManager(mgr)
|
|
|
|
|
2015-03-13 18:20:36 +00:00
|
|
|
// Restore the existing state
|
|
|
|
if err := c.expiration.Restore(); err != nil {
|
|
|
|
return fmt.Errorf("expiration state restore failed: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// stopExpiration is used to stop the expiration manager before
|
|
|
|
// sealing the Vault.
|
|
|
|
func (c *Core) stopExpiration() error {
|
2015-04-14 20:32:56 +00:00
|
|
|
if c.expiration != nil {
|
|
|
|
if err := c.expiration.Stop(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-10-12 20:33:54 +00:00
|
|
|
c.metricsMutex.Lock()
|
|
|
|
defer c.metricsMutex.Unlock()
|
2015-04-14 20:32:56 +00:00
|
|
|
c.expiration = nil
|
2015-03-13 18:20:36 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Restore is used to recover the lease states when starting.
|
|
|
|
// This is used after starting the vault.
|
|
|
|
func (m *ExpirationManager) Restore() error {
|
2015-03-16 18:33:59 +00:00
|
|
|
m.pendingLock.Lock()
|
|
|
|
defer m.pendingLock.Unlock()
|
|
|
|
|
|
|
|
// Accumulate existing leases
|
2015-04-10 21:21:23 +00:00
|
|
|
existing, err := CollectKeys(m.idView)
|
2015-03-18 19:03:33 +00:00
|
|
|
if err != nil {
|
2015-03-16 18:33:59 +00:00
|
|
|
return fmt.Errorf("failed to scan for leases: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Restore each key
|
2015-04-08 20:35:32 +00:00
|
|
|
for _, leaseID := range existing {
|
2015-03-16 18:33:59 +00:00
|
|
|
// Load the entry
|
2015-04-08 20:35:32 +00:00
|
|
|
le, err := m.loadEntry(leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// If there is no entry, nothing to restore
|
|
|
|
if le == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2015-04-01 04:01:12 +00:00
|
|
|
// If there is no expiry time, don't do anything
|
|
|
|
if le.ExpireTime.IsZero() {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
// Determine the remaining time to expiration
|
2015-03-16 22:11:35 +00:00
|
|
|
expires := le.ExpireTime.Sub(time.Now().UTC())
|
2015-03-16 18:33:59 +00:00
|
|
|
if expires <= 0 {
|
|
|
|
expires = minRevokeDelay
|
|
|
|
}
|
|
|
|
|
|
|
|
// Setup revocation timer
|
2015-04-08 20:35:32 +00:00
|
|
|
m.pending[le.LeaseID] = time.AfterFunc(expires, func() {
|
|
|
|
m.expireID(le.LeaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
})
|
|
|
|
}
|
2015-03-24 00:27:46 +00:00
|
|
|
if len(m.pending) > 0 {
|
|
|
|
m.logger.Printf("[INFO] expire: restored %d leases", len(m.pending))
|
|
|
|
}
|
2015-03-13 18:20:36 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Stop is used to prevent further automatic revocations.
|
|
|
|
// This must be called before sealing the view.
|
|
|
|
func (m *ExpirationManager) Stop() error {
|
2015-03-16 01:06:19 +00:00
|
|
|
// Stop all the pending expiration timers
|
|
|
|
m.pendingLock.Lock()
|
|
|
|
for _, timer := range m.pending {
|
|
|
|
timer.Stop()
|
2015-03-13 18:31:43 +00:00
|
|
|
}
|
2015-03-16 01:06:19 +00:00
|
|
|
m.pending = make(map[string]*time.Timer)
|
|
|
|
m.pendingLock.Unlock()
|
2015-03-12 19:44:22 +00:00
|
|
|
return nil
|
|
|
|
}
|
2015-03-13 01:38:15 +00:00
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Revoke is used to revoke a secret named by the given LeaseID
|
|
|
|
func (m *ExpirationManager) Revoke(leaseID string) error {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "revoke"}, time.Now())
|
2015-03-16 18:33:59 +00:00
|
|
|
// Load the entry
|
2015-04-08 20:35:32 +00:00
|
|
|
le, err := m.loadEntry(leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// If there is no entry, nothing to revoke
|
|
|
|
if le == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke the entry
|
|
|
|
if err := m.revokeEntry(le); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete the entry
|
2015-04-08 20:35:32 +00:00
|
|
|
if err := m.deleteEntry(leaseID); err != nil {
|
2015-03-16 18:33:59 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-04-10 21:48:08 +00:00
|
|
|
// Delete the secondary index
|
2015-11-04 15:48:44 +00:00
|
|
|
if err := m.removeIndexByToken(le.ClientToken, le.LeaseID); err != nil {
|
2015-04-10 21:48:08 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
// Clear the expiration handler
|
|
|
|
m.pendingLock.Lock()
|
2015-04-08 20:35:32 +00:00
|
|
|
if timer, ok := m.pending[leaseID]; ok {
|
2015-03-16 18:33:59 +00:00
|
|
|
timer.Stop()
|
2015-04-08 20:35:32 +00:00
|
|
|
delete(m.pending, leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
}
|
|
|
|
m.pendingLock.Unlock()
|
2015-03-13 01:38:15 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// RevokePrefix is used to revoke all secrets with a given prefix.
|
|
|
|
// The prefix maps to that of the mount table to make this simpler
|
|
|
|
// to reason about.
|
|
|
|
func (m *ExpirationManager) RevokePrefix(prefix string) error {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "revoke-prefix"}, time.Now())
|
2015-03-16 21:59:37 +00:00
|
|
|
// Ensure there is a trailing slash
|
|
|
|
if !strings.HasSuffix(prefix, "/") {
|
|
|
|
prefix = prefix + "/"
|
|
|
|
}
|
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
// Accumulate existing leases
|
2015-04-10 21:21:23 +00:00
|
|
|
sub := m.idView.SubView(prefix)
|
2015-03-18 19:03:33 +00:00
|
|
|
existing, err := CollectKeys(sub)
|
|
|
|
if err != nil {
|
2015-03-16 18:33:59 +00:00
|
|
|
return fmt.Errorf("failed to scan for leases: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke all the keys
|
2015-03-16 21:59:37 +00:00
|
|
|
for idx, suffix := range existing {
|
2015-04-08 20:35:32 +00:00
|
|
|
leaseID := prefix + suffix
|
|
|
|
if err := m.Revoke(leaseID); err != nil {
|
2015-03-16 18:33:59 +00:00
|
|
|
return fmt.Errorf("failed to revoke '%s' (%d / %d): %v",
|
2015-04-08 20:35:32 +00:00
|
|
|
leaseID, idx+1, len(existing), err)
|
2015-03-16 18:33:59 +00:00
|
|
|
}
|
|
|
|
}
|
2015-03-13 01:38:15 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-04-10 21:48:08 +00:00
|
|
|
// RevokeByToken is used to revoke all the secrets issued with
|
|
|
|
// a given token. This is done by using the secondary index.
|
|
|
|
func (m *ExpirationManager) RevokeByToken(token string) error {
|
|
|
|
defer metrics.MeasureSince([]string{"expire", "revoke-by-token"}, time.Now())
|
|
|
|
// Lookup the leases
|
|
|
|
existing, err := m.lookupByToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to scan for leases: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke all the keys
|
|
|
|
for idx, leaseID := range existing {
|
|
|
|
if err := m.Revoke(leaseID); err != nil {
|
|
|
|
return fmt.Errorf("failed to revoke '%s' (%d / %d): %v",
|
|
|
|
leaseID, idx+1, len(existing), err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Renew is used to renew a secret using the given leaseID
|
2015-03-13 01:38:15 +00:00
|
|
|
// and a renew interval. The increment may be ignored.
|
2015-04-08 20:35:32 +00:00
|
|
|
func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error) {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "renew"}, time.Now())
|
2015-03-16 18:33:59 +00:00
|
|
|
// Load the entry
|
2015-04-08 20:35:32 +00:00
|
|
|
le, err := m.loadEntry(leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
// Check if the lease is renewable
|
|
|
|
if err := le.renewable(); err != nil {
|
|
|
|
return nil, err
|
2015-04-09 00:03:46 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 20:29:51 +00:00
|
|
|
// Attempt to renew the entry
|
2015-03-16 21:59:37 +00:00
|
|
|
resp, err := m.renewEntry(le, increment)
|
2015-03-16 20:29:51 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2015-03-16 18:33:59 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 20:29:51 +00:00
|
|
|
// Fast-path if there is no lease
|
2015-04-09 19:29:13 +00:00
|
|
|
if resp == nil || resp.Secret == nil || !resp.Secret.LeaseEnabled() {
|
2015-03-16 20:29:51 +00:00
|
|
|
return resp, nil
|
2015-03-16 18:33:59 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 20:29:51 +00:00
|
|
|
// Validate the lease
|
2015-03-19 22:11:42 +00:00
|
|
|
if err := resp.Secret.Validate(); err != nil {
|
2015-03-16 20:29:51 +00:00
|
|
|
return nil, err
|
2015-03-16 18:33:59 +00:00
|
|
|
}
|
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Attach the LeaseID
|
|
|
|
resp.Secret.LeaseID = leaseID
|
2015-03-16 23:11:55 +00:00
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
// Update the lease entry
|
2015-03-16 20:29:51 +00:00
|
|
|
le.Data = resp.Data
|
2015-03-19 22:11:42 +00:00
|
|
|
le.Secret = resp.Secret
|
2015-04-09 19:29:13 +00:00
|
|
|
le.ExpireTime = resp.Secret.ExpirationTime()
|
2016-01-04 21:43:07 +00:00
|
|
|
le.LastRenewalTime = time.Now().UTC()
|
2015-03-16 18:33:59 +00:00
|
|
|
if err := m.persistEntry(le); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update the expiration time
|
2015-04-09 19:39:12 +00:00
|
|
|
m.updatePending(le, resp.Secret.LeaseTotal())
|
2015-03-16 18:33:59 +00:00
|
|
|
|
2015-03-16 20:29:51 +00:00
|
|
|
// Return the response
|
|
|
|
return resp, nil
|
2015-03-13 01:38:15 +00:00
|
|
|
}
|
|
|
|
|
2015-04-03 18:58:10 +00:00
|
|
|
// RenewToken is used to renew a token which does not need to
|
|
|
|
// invoke a logical backend.
|
2015-04-09 21:23:37 +00:00
|
|
|
func (m *ExpirationManager) RenewToken(source string, token string,
|
|
|
|
increment time.Duration) (*logical.Auth, error) {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "renew-token"}, time.Now())
|
2015-04-08 20:35:32 +00:00
|
|
|
// Compute the Lease ID
|
|
|
|
leaseID := path.Join(source, m.tokenStore.SaltID(token))
|
2015-04-03 18:58:10 +00:00
|
|
|
|
|
|
|
// Load the entry
|
2015-04-08 20:35:32 +00:00
|
|
|
le, err := m.loadEntry(leaseID)
|
2015-04-03 18:58:10 +00:00
|
|
|
if err != nil {
|
2015-04-06 23:35:39 +00:00
|
|
|
return nil, err
|
2015-04-03 18:58:10 +00:00
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
// Check if the lease is renewable
|
|
|
|
if err := le.renewable(); err != nil {
|
|
|
|
return nil, err
|
2015-04-03 18:58:10 +00:00
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
// Attempt to renew the auth entry
|
|
|
|
resp, err := m.renewAuthEntry(le, increment)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2015-04-03 18:58:10 +00:00
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
// Fast-path if there is no renewal
|
|
|
|
if resp == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
if resp.Auth == nil || !resp.Auth.LeaseEnabled() {
|
|
|
|
return resp.Auth, nil
|
2015-04-09 00:03:46 +00:00
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
// Attach the ClientToken
|
|
|
|
resp.Auth.ClientToken = token
|
2015-08-21 05:27:01 +00:00
|
|
|
resp.Auth.Increment = 0
|
2015-04-09 21:23:37 +00:00
|
|
|
|
2015-04-03 18:58:10 +00:00
|
|
|
// Update the lease entry
|
2015-04-09 21:23:37 +00:00
|
|
|
le.Auth = resp.Auth
|
|
|
|
le.ExpireTime = resp.Auth.ExpirationTime()
|
2016-01-04 21:43:07 +00:00
|
|
|
le.LastRenewalTime = time.Now().UTC()
|
2015-04-03 18:58:10 +00:00
|
|
|
if err := m.persistEntry(le); err != nil {
|
2015-04-06 23:35:39 +00:00
|
|
|
return nil, err
|
2015-04-03 18:58:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Update the expiration time
|
2015-04-09 21:23:37 +00:00
|
|
|
m.updatePending(le, resp.Auth.LeaseTotal())
|
|
|
|
return resp.Auth, nil
|
2015-04-03 18:58:10 +00:00
|
|
|
}
|
|
|
|
|
2015-03-13 01:38:15 +00:00
|
|
|
// Register is used to take a request and response with an associated
|
2015-04-08 20:35:32 +00:00
|
|
|
// lease. The secret gets assigned a LeaseID and the management of
|
2015-03-13 01:38:15 +00:00
|
|
|
// of lease is assumed by the expiration manager.
|
2015-03-15 21:53:41 +00:00
|
|
|
func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error) {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "register"}, time.Now())
|
2015-03-19 22:11:42 +00:00
|
|
|
// Ignore if there is no leased secret
|
2015-04-01 04:04:10 +00:00
|
|
|
if resp == nil || resp.Secret == nil {
|
2015-03-13 17:55:54 +00:00
|
|
|
return "", nil
|
|
|
|
}
|
|
|
|
|
2015-03-19 22:11:42 +00:00
|
|
|
// Validate the secret
|
|
|
|
if err := resp.Secret.Validate(); err != nil {
|
2015-03-13 17:55:54 +00:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a lease entry
|
|
|
|
le := leaseEntry{
|
2015-06-30 19:38:32 +00:00
|
|
|
LeaseID: path.Join(req.Path, uuid.GenerateUUID()),
|
2015-04-10 21:48:08 +00:00
|
|
|
ClientToken: req.ClientToken,
|
|
|
|
Path: req.Path,
|
|
|
|
Data: resp.Data,
|
|
|
|
Secret: resp.Secret,
|
2015-06-17 21:28:13 +00:00
|
|
|
IssueTime: time.Now().UTC(),
|
2015-04-10 21:48:08 +00:00
|
|
|
ExpireTime: resp.Secret.ExpirationTime(),
|
2015-03-13 17:55:54 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 01:06:19 +00:00
|
|
|
// Encode the entry
|
|
|
|
if err := m.persistEntry(&le); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2015-04-10 21:48:08 +00:00
|
|
|
// Maintain secondary index by token
|
2015-11-04 15:48:44 +00:00
|
|
|
if err := m.createIndexByToken(le.ClientToken, le.LeaseID); err != nil {
|
2015-04-10 21:48:08 +00:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2015-04-01 04:01:12 +00:00
|
|
|
// Setup revocation timer if there is a lease
|
2015-04-09 19:39:12 +00:00
|
|
|
m.updatePending(&le, resp.Secret.LeaseTotal())
|
2015-03-16 01:06:19 +00:00
|
|
|
|
|
|
|
// Done
|
2015-04-08 20:35:32 +00:00
|
|
|
return le.LeaseID, nil
|
2015-03-16 01:06:19 +00:00
|
|
|
}
|
|
|
|
|
2015-04-03 00:45:42 +00:00
|
|
|
// RegisterAuth is used to take an Auth response with an associated lease.
|
2015-04-08 20:35:32 +00:00
|
|
|
// The token does not get a LeaseID, but the lease management is handled by
|
2015-04-03 00:45:42 +00:00
|
|
|
// the expiration manager.
|
|
|
|
func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error {
|
2015-04-08 23:43:17 +00:00
|
|
|
defer metrics.MeasureSince([]string{"expire", "register-auth"}, time.Now())
|
2015-04-11 04:21:06 +00:00
|
|
|
|
2015-03-24 01:11:15 +00:00
|
|
|
// Create a lease entry
|
|
|
|
le := leaseEntry{
|
2015-04-10 21:48:08 +00:00
|
|
|
LeaseID: path.Join(source, m.tokenStore.SaltID(auth.ClientToken)),
|
|
|
|
ClientToken: auth.ClientToken,
|
|
|
|
Auth: auth,
|
|
|
|
Path: source,
|
2015-06-17 21:28:13 +00:00
|
|
|
IssueTime: time.Now().UTC(),
|
2015-04-10 21:48:08 +00:00
|
|
|
ExpireTime: auth.ExpirationTime(),
|
2015-03-24 01:11:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Encode the entry
|
|
|
|
if err := m.persistEntry(&le); err != nil {
|
2015-04-03 00:45:42 +00:00
|
|
|
return err
|
2015-03-24 01:11:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Setup revocation timer
|
2015-04-09 19:39:12 +00:00
|
|
|
m.updatePending(&le, auth.LeaseTotal())
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-01-04 21:43:07 +00:00
|
|
|
// FetchLeaseTimesByToken is a helper function to use token values to compute
|
|
|
|
// the leaseID, rather than pushing that logic back into the token store.
|
|
|
|
func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error) {
|
|
|
|
defer metrics.MeasureSince([]string{"expire", "fetch-lease-times-by-token"}, time.Now())
|
|
|
|
|
|
|
|
// Compute the Lease ID
|
|
|
|
leaseID := path.Join(source, m.tokenStore.SaltID(token))
|
|
|
|
return m.FetchLeaseTimes(leaseID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// FetchLeaseTimes is used to fetch the issue time, expiration time, and last
|
|
|
|
// renewed time of a lease entry. It returns a leaseEntry itself, but with only
|
|
|
|
// those values copied over.
|
|
|
|
func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error) {
|
|
|
|
defer metrics.MeasureSince([]string{"expire", "fetch-lease-times"}, time.Now())
|
|
|
|
|
|
|
|
// Load the entry
|
|
|
|
le, err := m.loadEntry(leaseID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if le == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
ret := &leaseEntry{
|
|
|
|
IssueTime: le.IssueTime,
|
|
|
|
ExpireTime: le.ExpireTime,
|
|
|
|
LastRenewalTime: le.LastRenewalTime,
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
|
2015-04-09 19:39:12 +00:00
|
|
|
// updatePending is used to update a pending invocation for a lease
|
|
|
|
func (m *ExpirationManager) updatePending(le *leaseEntry, leaseTotal time.Duration) {
|
|
|
|
m.pendingLock.Lock()
|
|
|
|
defer m.pendingLock.Unlock()
|
|
|
|
|
|
|
|
// Check for an existing timer
|
|
|
|
timer, ok := m.pending[le.LeaseID]
|
|
|
|
|
|
|
|
// Create entry if it does not exist
|
|
|
|
if !ok && leaseTotal > 0 {
|
|
|
|
timer := time.AfterFunc(leaseTotal, func() {
|
2015-04-08 22:43:26 +00:00
|
|
|
m.expireID(le.LeaseID)
|
|
|
|
})
|
2015-04-09 19:39:12 +00:00
|
|
|
m.pending[le.LeaseID] = timer
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete the timer if the expiration time is zero
|
|
|
|
if ok && leaseTotal == 0 {
|
|
|
|
timer.Stop()
|
|
|
|
delete(m.pending, le.LeaseID)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Extend the timer by the lease total
|
|
|
|
if ok && leaseTotal > 0 {
|
|
|
|
timer.Reset(leaseTotal)
|
2015-04-08 22:43:26 +00:00
|
|
|
}
|
2015-03-24 01:11:15 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 01:06:19 +00:00
|
|
|
// expireID is invoked when a given ID is expired
|
2015-04-08 20:35:32 +00:00
|
|
|
func (m *ExpirationManager) expireID(leaseID string) {
|
2015-03-16 01:06:19 +00:00
|
|
|
// Clear from the pending expiration
|
|
|
|
m.pendingLock.Lock()
|
2015-04-08 20:35:32 +00:00
|
|
|
delete(m.pending, leaseID)
|
2015-03-16 01:06:19 +00:00
|
|
|
m.pendingLock.Unlock()
|
|
|
|
|
2015-03-16 18:33:59 +00:00
|
|
|
for attempt := uint(0); attempt < maxRevokeAttempts; attempt++ {
|
2015-04-08 20:35:32 +00:00
|
|
|
err := m.Revoke(leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
if err == nil {
|
2015-04-08 20:35:32 +00:00
|
|
|
m.logger.Printf("[INFO] expire: revoked '%s'", leaseID)
|
2015-03-16 18:33:59 +00:00
|
|
|
return
|
|
|
|
}
|
2015-04-08 20:35:32 +00:00
|
|
|
m.logger.Printf("[ERR] expire: failed to revoke '%s': %v", leaseID, err)
|
2015-03-16 18:33:59 +00:00
|
|
|
time.Sleep((1 << attempt) * revokeRetryBase)
|
2015-03-16 01:06:19 +00:00
|
|
|
}
|
2015-04-08 20:35:32 +00:00
|
|
|
m.logger.Printf("[ERR] expire: maximum revoke attempts for '%s' reached", leaseID)
|
2015-03-16 01:06:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// revokeEntry is used to attempt revocation of an internal entry
|
|
|
|
func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
|
2015-03-24 01:11:15 +00:00
|
|
|
// Revocation of login tokens is special since we can by-pass the
|
|
|
|
// backend and directly interact with the token store
|
2015-04-03 18:58:10 +00:00
|
|
|
if le.Auth != nil {
|
|
|
|
if err := m.tokenStore.RevokeTree(le.Auth.ClientToken); err != nil {
|
2015-03-24 01:11:15 +00:00
|
|
|
return fmt.Errorf("failed to revoke token: %v", err)
|
|
|
|
}
|
2015-09-10 01:58:09 +00:00
|
|
|
|
2015-03-24 01:11:15 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Handle standard revocation via backends
|
2015-03-19 19:20:25 +00:00
|
|
|
_, err := m.router.Route(logical.RevokeRequest(
|
2015-03-19 22:11:42 +00:00
|
|
|
le.Path, le.Secret, le.Data))
|
2015-03-16 18:33:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to revoke entry: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
2015-03-16 01:06:19 +00:00
|
|
|
}
|
|
|
|
|
2015-03-16 20:29:51 +00:00
|
|
|
// renewEntry is used to attempt renew of an internal entry
|
2015-03-16 21:59:37 +00:00
|
|
|
func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
|
2015-03-19 22:11:42 +00:00
|
|
|
secret := *le.Secret
|
2015-08-21 05:27:01 +00:00
|
|
|
secret.IssueTime = le.IssueTime
|
|
|
|
secret.Increment = increment
|
2015-04-08 20:35:32 +00:00
|
|
|
secret.LeaseID = ""
|
2015-03-19 22:11:42 +00:00
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
req := logical.RenewRequest(le.Path, &secret, le.Data)
|
|
|
|
resp, err := m.router.Route(req)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to renew entry: %v", err)
|
|
|
|
}
|
|
|
|
return resp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// renewAuthEntry is used to attempt renew of an auth entry
|
|
|
|
func (m *ExpirationManager) renewAuthEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
|
|
|
|
auth := *le.Auth
|
2015-08-21 05:27:01 +00:00
|
|
|
auth.IssueTime = le.IssueTime
|
|
|
|
auth.Increment = increment
|
2015-04-09 21:23:37 +00:00
|
|
|
auth.ClientToken = ""
|
|
|
|
|
2015-04-11 21:46:09 +00:00
|
|
|
req := logical.RenewAuthRequest(le.Path, &auth, nil)
|
2015-04-09 21:23:37 +00:00
|
|
|
resp, err := m.router.Route(req)
|
2015-03-16 20:29:51 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to renew entry: %v", err)
|
|
|
|
}
|
|
|
|
return resp, nil
|
|
|
|
}
|
|
|
|
|
2015-03-16 01:06:19 +00:00
|
|
|
// loadEntry is used to read a lease entry
|
2015-04-08 20:35:32 +00:00
|
|
|
func (m *ExpirationManager) loadEntry(leaseID string) (*leaseEntry, error) {
|
2015-04-10 21:21:23 +00:00
|
|
|
out, err := m.idView.Get(leaseID)
|
2015-03-16 01:06:19 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to read lease entry: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
le, err := decodeLeaseEntry(out.Value)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to decode lease entry: %v", err)
|
|
|
|
}
|
|
|
|
return le, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// persistEntry is used to persist a lease entry
|
|
|
|
func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
|
2015-03-13 17:55:54 +00:00
|
|
|
// Encode the entry
|
|
|
|
buf, err := le.encode()
|
|
|
|
if err != nil {
|
2015-03-16 01:06:19 +00:00
|
|
|
return fmt.Errorf("failed to encode lease entry: %v", err)
|
2015-03-13 17:55:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Write out to the view
|
2015-03-15 20:52:43 +00:00
|
|
|
ent := logical.StorageEntry{
|
2015-04-08 20:35:32 +00:00
|
|
|
Key: le.LeaseID,
|
2015-03-13 17:55:54 +00:00
|
|
|
Value: buf,
|
|
|
|
}
|
2015-04-10 21:21:23 +00:00
|
|
|
if err := m.idView.Put(&ent); err != nil {
|
2015-03-16 01:06:19 +00:00
|
|
|
return fmt.Errorf("failed to persist lease entry: %v", err)
|
2015-03-13 17:55:54 +00:00
|
|
|
}
|
2015-03-16 01:06:19 +00:00
|
|
|
return nil
|
|
|
|
}
|
2015-03-13 17:55:54 +00:00
|
|
|
|
2015-03-16 01:06:19 +00:00
|
|
|
// deleteEntry is used to delete a lease entry
|
2015-04-08 20:35:32 +00:00
|
|
|
func (m *ExpirationManager) deleteEntry(leaseID string) error {
|
2015-04-10 21:21:23 +00:00
|
|
|
if err := m.idView.Delete(leaseID); err != nil {
|
2015-03-16 01:06:19 +00:00
|
|
|
return fmt.Errorf("failed to delete lease entry: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
2015-03-13 17:55:54 +00:00
|
|
|
}
|
|
|
|
|
2015-11-04 15:48:44 +00:00
|
|
|
// createIndexByToken creates a secondary index from the token to a lease entry
|
|
|
|
func (m *ExpirationManager) createIndexByToken(token, leaseID string) error {
|
2015-04-10 21:48:08 +00:00
|
|
|
ent := logical.StorageEntry{
|
|
|
|
Key: m.tokenStore.SaltID(token) + "/" + m.tokenStore.SaltID(leaseID),
|
|
|
|
Value: []byte(leaseID),
|
|
|
|
}
|
|
|
|
if err := m.tokenView.Put(&ent); err != nil {
|
|
|
|
return fmt.Errorf("failed to persist lease index entry: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-11-04 15:48:44 +00:00
|
|
|
// indexByToken looks up the secondary index from the token to a lease entry
|
|
|
|
func (m *ExpirationManager) indexByToken(token, leaseID string) (*logical.StorageEntry, error) {
|
|
|
|
key := m.tokenStore.SaltID(token) + "/" + m.tokenStore.SaltID(leaseID)
|
|
|
|
entry, err := m.tokenView.Get(key)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to look up secondary index entry")
|
|
|
|
}
|
|
|
|
return entry, nil
|
|
|
|
}
|
|
|
|
|
2015-04-10 21:48:08 +00:00
|
|
|
// removeIndexByToken removes the secondary index from the token to a lease entry
|
|
|
|
func (m *ExpirationManager) removeIndexByToken(token, leaseID string) error {
|
|
|
|
key := m.tokenStore.SaltID(token) + "/" + m.tokenStore.SaltID(leaseID)
|
|
|
|
if err := m.tokenView.Delete(key); err != nil {
|
|
|
|
return fmt.Errorf("failed to delete lease index entry: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// lookupByToken is used to lookup all the leaseID's via the
|
|
|
|
func (m *ExpirationManager) lookupByToken(token string) ([]string, error) {
|
|
|
|
// Scan via the index for sub-leases
|
|
|
|
prefix := m.tokenStore.SaltID(token) + "/"
|
|
|
|
subKeys, err := m.tokenView.List(prefix)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to list leases: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read each index entry
|
|
|
|
leaseIDs := make([]string, 0, len(subKeys))
|
|
|
|
for _, sub := range subKeys {
|
|
|
|
out, err := m.tokenView.Get(prefix + sub)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to read lease index: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
leaseIDs = append(leaseIDs, string(out.Value))
|
|
|
|
}
|
|
|
|
return leaseIDs, nil
|
|
|
|
}
|
|
|
|
|
2015-04-08 23:43:17 +00:00
|
|
|
// emitMetrics is invoked periodically to emit statistics
|
|
|
|
func (m *ExpirationManager) emitMetrics() {
|
|
|
|
m.pendingLock.Lock()
|
|
|
|
num := len(m.pending)
|
|
|
|
m.pendingLock.Unlock()
|
|
|
|
metrics.SetGauge([]string{"expire", "num_leases"}, float32(num))
|
|
|
|
}
|
|
|
|
|
2015-03-13 17:55:54 +00:00
|
|
|
// leaseEntry is used to structure the values the expiration
|
|
|
|
// manager stores. This is used to handle renew and revocation.
|
|
|
|
type leaseEntry struct {
|
2016-01-04 21:43:07 +00:00
|
|
|
LeaseID string `json:"lease_id"`
|
|
|
|
ClientToken string `json:"client_token"`
|
|
|
|
Path string `json:"path"`
|
|
|
|
Data map[string]interface{} `json:"data"`
|
|
|
|
Secret *logical.Secret `json:"secret"`
|
|
|
|
Auth *logical.Auth `json:"auth"`
|
|
|
|
IssueTime time.Time `json:"issue_time"`
|
|
|
|
ExpireTime time.Time `json:"expire_time"`
|
|
|
|
LastRenewalTime time.Time `json:"last_renewal_time"`
|
2015-03-13 17:55:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// encode is used to JSON encode the lease entry
|
|
|
|
func (l *leaseEntry) encode() ([]byte, error) {
|
|
|
|
return json.Marshal(l)
|
|
|
|
}
|
|
|
|
|
2015-04-09 21:23:37 +00:00
|
|
|
func (le *leaseEntry) renewable() error {
|
|
|
|
// If there is no entry, cannot review
|
|
|
|
if le == nil || le.ExpireTime.IsZero() {
|
2015-06-18 22:37:08 +00:00
|
|
|
return fmt.Errorf("lease not found or lease is not renewable")
|
2015-04-09 21:23:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Determine if the lease is expired
|
|
|
|
if le.ExpireTime.Before(time.Now().UTC()) {
|
|
|
|
return fmt.Errorf("lease expired")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Determine if the lease is renewable
|
|
|
|
if le.Secret != nil && !le.Secret.Renewable {
|
|
|
|
return fmt.Errorf("lease is not renewable")
|
|
|
|
}
|
|
|
|
if le.Auth != nil && !le.Auth.Renewable {
|
|
|
|
return fmt.Errorf("lease is not renewable")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-13 17:55:54 +00:00
|
|
|
// decodeLeaseEntry is used to reverse encode and return a new entry
|
|
|
|
func decodeLeaseEntry(buf []byte) (*leaseEntry, error) {
|
|
|
|
out := new(leaseEntry)
|
|
|
|
return out, json.Unmarshal(buf, out)
|
2015-03-13 01:38:15 +00:00
|
|
|
}
|