open-vault/builtin/credential/approle/path_tidy_user_id.go

package approle

import (
	"context"
	"fmt"
	"sync/atomic"
	"time"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/go-multierror"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathTidySecretID(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "tidy/secret-id$",

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathTidySecretIDUpdate,
		},

		HelpSynopsis:    pathTidySecretIDSyn,
		HelpDescription: pathTidySecretIDDesc,
	}
}

// tidySecretID is used to delete entries in the whitelist that are expired.
func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
	grabbed := atomic.CompareAndSwapUint32(b.tidySecretIDCASGuard, 0, 1)
	if grabbed {
		defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)
	} else {
		return fmt.Errorf("SecretID tidy operation already running")
	}

	var result error

	tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {
		roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)
		if err != nil {
			return err
		}

		// List all the accessors and add them all to a map
		accessorHashes, err := s.List(ctx, accessorIDPrefixToUse)
		if err != nil {
			return err
		}
		accessorMap := make(map[string]bool, len(accessorHashes))
		for _, accessorHash := range accessorHashes {
			accessorMap[accessorHash] = true
		}

		secretIDCleanupFunc := func(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse string) error {
			lock := b.secretIDLock(secretIDHMAC)
			lock.Lock()
			defer lock.Unlock()

			entryIndex := fmt.Sprintf("%s%s%s", secretIDPrefixToUse, roleNameHMAC, secretIDHMAC)
			secretIDEntry, err := s.Get(ctx, entryIndex)
			if err != nil {
				return errwrap.Wrapf(fmt.Sprintf("error fetching SecretID %q: {{err}}", secretIDHMAC), err)
			}

			if secretIDEntry == nil {
				result = multierror.Append(result, fmt.Errorf("entry for SecretID %q is nil", secretIDHMAC))
				return nil
			}

			if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 {
				return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)
			}

			var result secretIDStorageEntry
			if err := secretIDEntry.DecodeJSON(&result); err != nil {
				return err
			}

			// If a secret ID entry does not have a corresponding accessor
			// entry, revoke the secret ID immediately
			accessorEntry, err := b.secretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
			if err != nil {
				return errwrap.Wrapf("failed to read secret ID accessor entry: {{err}}", err)
			}
			if accessorEntry == nil {
				if err := s.Delete(ctx, entryIndex); err != nil {
					return errwrap.Wrapf(fmt.Sprintf("error deleting secret ID %q from storage: {{err}}", secretIDHMAC), err)
				}
				return nil
			}

			// ExpirationTime not being set indicates non-expiring SecretIDs
			if !result.ExpirationTime.IsZero() && time.Now().After(result.ExpirationTime) {
				// Clean up the accessor of the secret ID first
				err = b.deleteSecretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
				if err != nil {
					return errwrap.Wrapf("failed to delete secret ID accessor entry: {{err}}", err)
				}

				if err := s.Delete(ctx, entryIndex); err != nil {
					return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
				}

				return nil
			}

			// At this point, the secret ID is not expired and is valid. Delete
			// the corresponding accessor from the accessorMap. This will leave
			// only the dangling accessors in the map which can then be cleaned
			// up later.
			salt, err := b.Salt(ctx)
			if err != nil {
				return err
			}
			delete(accessorMap, salt.SaltID(result.SecretIDAccessor))

			return nil
		}

		for _, roleNameHMAC := range roleNameHMACs {
			secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))
			if err != nil {
				return err
			}
			for _, secretIDHMAC := range secretIDHMACs {
				err = secretIDCleanupFunc(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse)
				if err != nil {
					return err
				}
			}
		}

		// Accessor indexes were not getting cleaned up until 0.9.3. This is a fix
		// to clean up the dangling accessor entries.
		for accessorHash, _ := range accessorMap {
			// Ideally, locking should be performed here. But for that, accessors
			// are required in plaintext, which are not available. Hence performing
			// a racy cleanup.
			err = s.Delete(ctx, secretIDAccessorPrefix+accessorHash)
			if err != nil {
				return err
			}
		}

		return nil
	}

	err := tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
	if err != nil {
		return err
	}
	err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
	if err != nil {
		return err
	}

	return result
}

// pathTidySecretIDUpdate is used to delete the expired SecretID entries
func (b *backend) pathTidySecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	return nil, b.tidySecretID(ctx, req.Storage)
}

const pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."
const pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
of the backend will look for expired entries and delete them. This happens once in a minute. Invoking
this endpoint will trigger the clean-up action, without waiting for the backend's periodic function.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`package approle`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`"fmt"`
			`"sync/atomic"`
			`"time"`

Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`"github.com/hashicorp/errwrap"`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`"github.com/hashicorp/go-multierror"`
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathTidySecretID(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "tidy/secret-id$",`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.UpdateOperation: b.pathTidySecretIDUpdate,`
			`},`

			`HelpSynopsis: pathTidySecretIDSyn,`
			`HelpDescription: pathTidySecretIDDesc,`
			`}`
			`}`

			`// tidySecretID is used to delete entries in the whitelist that are expired.`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {`
Some atomic cleanup (#4732) Taking inspiration from https://github.com/golang/go/issues/17604#issuecomment-256384471 suggests that taking the address of a stack variable for use in atomics works (at least, the race detector doesn't complain) but is doing it wrong. The only other change is a change in Leader() detecting if HA is enabled to fast-path out. This value never changes after NewCore, so we don't need to grab the read lock to check it. 2018-06-09 19:35:22 +00:00			`grabbed := atomic.CompareAndSwapUint32(b.tidySecretIDCASGuard, 0, 1)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`if grabbed {`
Some atomic cleanup (#4732) Taking inspiration from https://github.com/golang/go/issues/17604#issuecomment-256384471 suggests that taking the address of a stack variable for use in atomics works (at least, the race detector doesn't complain) but is doing it wrong. The only other change is a change in Leader() detecting if HA is enabled to fast-path out. This value never changes after NewCore, so we don't need to grab the read lock to check it. 2018-06-09 19:35:22 +00:00			`defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`} else {`
			`return fmt.Errorf("SecretID tidy operation already running")`
			`}`

Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`var result error`

			`tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {`
			`roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)`
local secret IDs 2018-04-23 14:51:55 +00:00			`if err != nil {`
			`return err`
			`}`
AppRole authentication backend 2016-05-30 18:30:01 +00:00
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`// List all the accessors and add them all to a map`
			`accessorHashes, err := s.List(ctx, accessorIDPrefixToUse)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`if err != nil {`
			`return err`
			`}`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`accessorMap := make(map[string]bool, len(accessorHashes))`
			`for _, accessorHash := range accessorHashes {`
			`accessorMap[accessorHash] = true`
			`}`

refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`secretIDCleanupFunc := func(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse string) error {`
			`lock := b.secretIDLock(secretIDHMAC)`
			`lock.Lock()`
			`defer lock.Unlock()`

			`entryIndex := fmt.Sprintf("%s%s%s", secretIDPrefixToUse, roleNameHMAC, secretIDHMAC)`
			`secretIDEntry, err := s.Get(ctx, entryIndex)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`if err != nil {`
refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`return errwrap.Wrapf(fmt.Sprintf("error fetching SecretID %q: {{err}}", secretIDHMAC), err)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`}`

refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`if secretIDEntry == nil {`
			`result = multierror.Append(result, fmt.Errorf("entry for SecretID %q is nil", secretIDHMAC))`
			`return nil`
			`}`
AppRole authentication backend 2016-05-30 18:30:01 +00:00
refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`if secretIDEntry.Value == nil \|\| len(secretIDEntry.Value) == 0 {`
			`return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)`
			`}`
AppRole authentication backend 2016-05-30 18:30:01 +00:00
refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`var result secretIDStorageEntry`
			`if err := secretIDEntry.DecodeJSON(&result); err != nil {`
			`return err`
			`}`

approle: Fix role name case sensitivity issue 2018-06-05 20:12:11 +00:00			`// If a secret ID entry does not have a corresponding accessor`
			`// entry, revoke the secret ID immediately`
			`accessorEntry, err := b.secretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)`
			`if err != nil {`
			`return errwrap.Wrapf("failed to read secret ID accessor entry: {{err}}", err)`
			`}`
			`if accessorEntry == nil {`
			`if err := s.Delete(ctx, entryIndex); err != nil {`
			`return errwrap.Wrapf(fmt.Sprintf("error deleting secret ID %q from storage: {{err}}", secretIDHMAC), err)`
			`}`
			`return nil`
			`}`

refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`// ExpirationTime not being set indicates non-expiring SecretIDs`
			`if !result.ExpirationTime.IsZero() && time.Now().After(result.ExpirationTime) {`
			`// Clean up the accessor of the secret ID first`
			`err = b.deleteSecretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)`
			`if err != nil {`
approle: Fix role name case sensitivity issue 2018-06-05 20:12:11 +00:00			`return errwrap.Wrapf("failed to delete secret ID accessor entry: {{err}}", err)`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`}`

refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`if err := s.Delete(ctx, entryIndex); err != nil {`
			`return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`}`
approle: Fix role name case sensitivity issue 2018-06-05 20:12:11 +00:00
			`return nil`
refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`}`

			`// At this point, the secret ID is not expired and is valid. Delete`
			`// the corresponding accessor from the accessorMap. This will leave`
			`// only the dangling accessors in the map which can then be cleaned`
			`// up later.`
			`salt, err := b.Salt(ctx)`
			`if err != nil {`
			`return err`
			`}`
			`delete(accessorMap, salt.SaltID(result.SecretIDAccessor))`

			`return nil`
			`}`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00
refactor to be able to defer lock.Unlock() 2018-04-24 20:17:24 +00:00			`for _, roleNameHMAC := range roleNameHMACs {`
			`secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))`
			`if err != nil {`
			`return err`
			`}`
			`for _, secretIDHMAC := range secretIDHMACs {`
			`err = secretIDCleanupFunc(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse)`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`if err != nil {`
			`return err`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`}`
			`}`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`}`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`// Accessor indexes were not getting cleaned up until 0.9.3. This is a fix`
			`// to clean up the dangling accessor entries.`
			`for accessorHash, _ := range accessorMap {`
			`// Ideally, locking should be performed here. But for that, accessors`
			`// are required in plaintext, which are not available. Hence performing`
			`// a racy cleanup.`
			`err = s.Delete(ctx, secretIDAccessorPrefix+accessorHash)`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`if err != nil {`
			`return err`
			`}`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`}`
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00
			`return nil`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`}`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 20:02:55 +00:00			`err := tidyFunc(secretIDPrefix, secretIDAccessorPrefix)`
			`if err != nil {`
			`return err`
			`}`
			`err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)`
			`if err != nil {`
			`return err`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`}`

AppRole authentication backend 2016-05-30 18:30:01 +00:00			`return result`
			`}`

			`// pathTidySecretIDUpdate is used to delete the expired SecretID entries`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathTidySecretIDUpdate(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`return nil, b.tidySecretID(ctx, req.Storage)`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`}`

			`const pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."`
Update some approle related help output (#3747) 2018-01-03 18:56:14 +00:00			const pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
AppRole authentication backend 2016-05-30 18:30:01 +00:00			`of the backend will look for expired entries and delete them. This happens once in a minute. Invoking`
			this endpoint will trigger the clean-up action, without waiting for the backend's periodic function.`