open-vault/vault/dynamic_system_view.go

package vault

import (
	"context"
	"fmt"
	"time"

	"github.com/hashicorp/errwrap"

	"github.com/hashicorp/vault/helper/consts"
	"github.com/hashicorp/vault/helper/pluginutil"
	"github.com/hashicorp/vault/helper/wrapping"
	"github.com/hashicorp/vault/logical"
)

type dynamicSystemView struct {
	core       *Core
	mountEntry *MountEntry
}

func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
	def, _ := d.fetchTTLs()
	return def
}

func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
	_, max := d.fetchTTLs()
	return max
}

func (d dynamicSystemView) SudoPrivilege(path string, token string) bool {
	// Resolve the token policy
	te, err := d.core.tokenStore.Lookup(token)
	if err != nil {
		d.core.logger.Error("core: failed to lookup token", "error", err)
		return false
	}

	// Ensure the token is valid
	if te == nil {
		d.core.logger.Error("entry not found for given token")
		return false
	}

	// Construct the corresponding ACL object
	acl, err := d.core.policyStore.ACL(te.Policies...)
	if err != nil {
		d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
		return false
	}

	// The operation type isn't important here as this is run from a path the
	// user has already been given access to; we only care about whether they
	// have sudo
	req := new(logical.Request)
	req.Operation = logical.ReadOperation
	req.Path = path
	authResults := acl.AllowOperation(req)
	return authResults.RootPrivs
}

// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
	def = d.core.defaultLeaseTTL
	max = d.core.maxLeaseTTL

	if d.mountEntry.Config.DefaultLeaseTTL != 0 {
		def = d.mountEntry.Config.DefaultLeaseTTL
	}
	if d.mountEntry.Config.MaxLeaseTTL != 0 {
		max = d.mountEntry.Config.MaxLeaseTTL
	}

	return
}

// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
	return d.mountEntry.Tainted
}

// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
	return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
}

// Checks if this is a primary Vault instance. Caller should hold the stateLock
// in read mode.
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
	return d.core.replicationState
}

// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
func (d dynamicSystemView) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
	req := &logical.Request{
		Operation: logical.CreateOperation,
		Path:      "sys/wrapping/wrap",
	}

	resp := &logical.Response{
		WrapInfo: &wrapping.ResponseWrapInfo{
			TTL: ttl,
		},
		Data: data,
	}

	if jwt {
		resp.WrapInfo.Format = "jwt"
	}

	_, err := d.core.wrapInCubbyhole(context.TODO(), req, resp, nil)
	if err != nil {
		return nil, err
	}

	return resp.WrapInfo, nil
}

// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
func (d dynamicSystemView) LookupPlugin(name string) (*pluginutil.PluginRunner, error) {
	if d.core == nil {
		return nil, fmt.Errorf("system view core is nil")
	}
	if d.core.pluginCatalog == nil {
		return nil, fmt.Errorf("system view core plugin catalog is nil")
	}
	r, err := d.core.pluginCatalog.Get(name)
	if err != nil {
		return nil, err
	}
	if r == nil {
		return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)
	}

	return r, nil
}

// MlockEnabled returns the configuration setting for enabling mlock on plugins.
func (d dynamicSystemView) MlockEnabled() bool {
	return d.core.enableMlock
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`package vault`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`"fmt"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"time"`

Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`"github.com/hashicorp/errwrap"`

Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`"github.com/hashicorp/vault/helper/consts"`
Plugin catalog 2017-04-04 00:52:29 +00:00			`"github.com/hashicorp/vault/helper/pluginutil"`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`"github.com/hashicorp/vault/helper/wrapping"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00
			`type dynamicSystemView struct {`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`core *Core`
			`mountEntry *MountEntry`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {`
			`def, _ := d.fetchTTLs()`
			`return def`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) MaxLeaseTTL() time.Duration {`
			`_, max := d.fetchTTLs()`
			`return max`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`func (d dynamicSystemView) SudoPrivilege(path string, token string) bool {`
			`// Resolve the token policy`
			`te, err := d.core.tokenStore.Lookup(token)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`if err != nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("core: failed to lookup token", "error", err)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`return false`
			`}`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00
			`// Ensure the token is valid`
			`if te == nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("entry not found for given token")`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

			`// Construct the corresponding ACL object`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`acl, err := d.core.policyStore.ACL(te.Policies...)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`if err != nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// The operation type isn't important here as this is run from a path the`
			`// user has already been given access to; we only care about whether they`
			`// have sudo`
Format dynamic_system_view.go 2017-01-20 00:54:08 +00:00			`req := new(logical.Request)`
			`req.Operation = logical.ReadOperation`
			`req.Path = path`
Sync over 2017-10-23 20:03:36 +00:00			`authResults := acl.AllowOperation(req)`
			`return authResults.RootPrivs`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`}`

Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`// TTLsByPath returns the default and max TTLs corresponding to a particular`
			`// mount point, or the system default`
Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`def = d.core.defaultLeaseTTL`
			`max = d.core.maxLeaseTTL`

Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.DefaultLeaseTTL != 0 {`
			`def = d.mountEntry.Config.DefaultLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.MaxLeaseTTL != 0 {`
			`max = d.mountEntry.Config.MaxLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

			`return`
			`}`
Allow backends to see taint status. This can be seen via System(). In the PKI backend, if the CA is reconfigured but not fully (e.g. an intermediate CSR is generated but no corresponding cert set) and there are already leases (issued certs), the CRL is unable to be built. As a result revocation fails. But in this case we don't actually need revocation to be successful since the CRL is useless after unmounting. By checking taint status we know if we can simply fast-path out of revocation with a success in this case. Fixes #946 2016-01-22 22:01:22 +00:00
			`// Tainted indicates that the mount is in the process of being removed`
			`func (d dynamicSystemView) Tainted() bool {`
			`return d.mountEntry.Tainted`
			`}`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`// CachingDisabled indicates whether to use caching behavior`
			`func (d dynamicSystemView) CachingDisabled() bool {`
Add option to disable caching per-backend. (#2455) 2017-03-08 14:20:09 +00:00			`return d.core.cachingDisabled \|\| (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`}`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00
Update locking components from DR replication changes (#3283) * Update locking components from DR replication changes * Fix plugin backend test * Add a comment about needing the statelock: 2017-09-04 23:38:37 +00:00			`// Checks if this is a primary Vault instance. Caller should hold the stateLock`
			`// in read mode.`
Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`func (d dynamicSystemView) ReplicationState() consts.ReplicationState {`
Update locking components from DR replication changes (#3283) * Update locking components from DR replication changes * Fix plugin backend test * Add a comment about needing the statelock: 2017-09-04 23:38:37 +00:00			`return d.core.replicationState`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00			`}`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00
			`// ResponseWrapData wraps the given data in a cubbyhole and returns the`
			`// token used to unwrap.`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`func (d dynamicSystemView) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`req := &logical.Request{`
			`Operation: logical.CreateOperation,`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`Path: "sys/wrapping/wrap",`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

			`resp := &logical.Response{`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`WrapInfo: &wrapping.ResponseWrapInfo{`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`TTL: ttl,`
			`},`
			`Data: data,`
			`}`

			`if jwt {`
			`resp.WrapInfo.Format = "jwt"`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`_, err := d.core.wrapInCubbyhole(context.TODO(), req, resp, nil)`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`if err != nil {`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return nil, err`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return resp.WrapInfo, nil`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`
Plugin catalog 2017-04-04 00:52:29 +00:00
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`// LookupPlugin looks for a plugin with the given name in the plugin catalog. It`
			`// returns a PluginRunner or an error if no plugin was found.`
Plugin catalog 2017-04-04 00:52:29 +00:00			`func (d dynamicSystemView) LookupPlugin(name string) (*pluginutil.PluginRunner, error) {`
Add plugin auto-reload capability (#3171) * Add automatic plugin reload * Refactor builtin/backend * Remove plugin reload at the core level * Refactor plugin tests * Add auto-reload test case * Change backend to use sync.RWMutex, fix dangling test plugin processes * Add a canary to plugin backends to avoid reloading many times (#3174) * Call setupPluginCatalog before mount-related operations in postUnseal * Don't create multiple system backends since core only holds a reference (#3176) to one. 2017-08-16 02:10:32 +00:00			`if d.core == nil {`
			`return nil, fmt.Errorf("system view core is nil")`
			`}`
			`if d.core.pluginCatalog == nil {`
			`return nil, fmt.Errorf("system view core plugin catalog is nil")`
			`}`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`r, err := d.core.pluginCatalog.Get(name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if r == nil {`
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`}`

			`return r, nil`
Plugin catalog 2017-04-04 00:52:29 +00:00			`}`
Mlock the plugin process 2017-04-11 00:12:52 +00:00
Change MlockDisabled to MlockEnabled 2017-04-24 19:21:49 +00:00			`// MlockEnabled returns the configuration setting for enabling mlock on plugins.`
			`func (d dynamicSystemView) MlockEnabled() bool {`
			`return d.core.enableMlock`
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`}`