open-vault/vault/logical_system_helpers.go

package vault

import (
	"context"
	"errors"
	"fmt"
	"strings"
	"time"

	memdb "github.com/hashicorp/go-memdb"
	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

var (
	invalidateMFAConfig = func(context.Context, *SystemBackend, string) {}

	sysInvalidate = func(b *SystemBackend) func(context.Context, string) {
		return nil
	}

	getSystemSchemas = func() []func() *memdb.TableSchema { return nil }

	getEGPListResponseKeyInfo = func(*SystemBackend, *namespace.Namespace) map[string]interface{} { return nil }
	addSentinelPolicyData     = func(map[string]interface{}, *Policy) {}
	inputSentinelPolicyData   = func(*framework.FieldData, *Policy) *logical.Response { return nil }

	controlGroupUnwrap = func(context.Context, *SystemBackend, string, bool) (string, error) {
		return "", errors.New("control groups unavailable")
	}

	pathInternalUINamespacesRead = func(b *SystemBackend) framework.OperationFunc {
		return func(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
			// Short-circuit here if there's no client token provided
			if req.ClientToken == "" {
				return nil, fmt.Errorf("client token empty")
			}

			// Load the ACL policies so we can check for access and filter namespaces
			_, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
			if err != nil {
				return nil, err
			}
			if entity != nil && entity.Disabled {
				b.logger.Warn("permission denied as the entity on the token is disabled")
				return nil, logical.ErrPermissionDenied
			}
			if te != nil && te.EntityID != "" && entity == nil {
				b.logger.Warn("permission denied as the entity on the token is invalid")
				return nil, logical.ErrPermissionDenied
			}

			return logical.ListResponse([]string{""}), nil
		}
	}

	pathLicenseRead = func(b *SystemBackend) framework.OperationFunc {
		return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
			return nil, nil
		}
	}

	pathLicenseUpdate = func(b *SystemBackend) framework.OperationFunc {
		return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
			return nil, nil
		}
	}

	entPaths = func(b *SystemBackend) []*framework.Path {
		return []*framework.Path{
			{
				Pattern: "replication/status",
				Callbacks: map[logical.Operation]framework.OperationFunc{
					logical.ReadOperation: func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
						resp := &logical.Response{
							Data: map[string]interface{}{
								"mode": "disabled",
							},
						}
						return resp, nil
					},
				},
			},
		}
	}

	checkRaw = func(b *SystemBackend, path string) error { return nil }
)

// tuneMount is used to set config on a mount point
func (b *SystemBackend) tuneMountTTLs(ctx context.Context, path string, me *MountEntry, newDefault, newMax time.Duration) error {
	zero := time.Duration(0)

	switch {
	case newDefault == zero && newMax == zero:
		// No checks needed

	case newDefault == zero && newMax != zero:
		// No default/max conflict, no checks needed

	case newDefault != zero && newMax == zero:
		// No default/max conflict, no checks needed

	case newDefault != zero && newMax != zero:
		if newMax < newDefault {
			return fmt.Errorf("backend max lease TTL of %d would be less than backend default lease TTL of %d", int(newMax.Seconds()), int(newDefault.Seconds()))
		}
	}

	origMax := me.Config.MaxLeaseTTL
	origDefault := me.Config.DefaultLeaseTTL

	me.Config.MaxLeaseTTL = newMax
	me.Config.DefaultLeaseTTL = newDefault

	// Update the mount table
	var err error
	switch {
	case strings.HasPrefix(path, credentialRoutePrefix):
		err = b.Core.persistAuth(ctx, b.Core.auth, &me.Local)
	default:
		err = b.Core.persistMounts(ctx, b.Core.mounts, &me.Local)
	}
	if err != nil {
		me.Config.MaxLeaseTTL = origMax
		me.Config.DefaultLeaseTTL = origDefault
		return fmt.Errorf("failed to update mount table, rolling back TTL changes")
	}
	if b.Core.logger.IsInfo() {
		b.Core.logger.Info("mount tuning of leases successful", "path", path)
	}

	return nil
}
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00			`package vault`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"errors"`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00			`"fmt"`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00			`"strings"`
Fix up per-backend timing logic; also fix error in TypeDurationSecond in GetOkErr. 2015-09-21 13:39:37 +00:00			`"time"`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`memdb "github.com/hashicorp/go-memdb"`
			`"github.com/hashicorp/vault/helper/namespace"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`)`

			`var (`
			`invalidateMFAConfig = func(context.Context, *SystemBackend, string) {}`

			`sysInvalidate = func(b *SystemBackend) func(context.Context, string) {`
			`return nil`
			`}`

			`getSystemSchemas = func() []func() *memdb.TableSchema { return nil }`

			`getEGPListResponseKeyInfo = func(SystemBackend, namespace.Namespace) map[string]interface{} { return nil }`
			`addSentinelPolicyData = func(map[string]interface{}, *Policy) {}`
			`inputSentinelPolicyData = func(framework.FieldData, Policy) *logical.Response { return nil }`

			`controlGroupUnwrap = func(context.Context, *SystemBackend, string, bool) (string, error) {`
			`return "", errors.New("control groups unavailable")`
			`}`

			`pathInternalUINamespacesRead = func(b *SystemBackend) framework.OperationFunc {`
			`return func(ctx context.Context, req logical.Request, _ framework.FieldData) (*logical.Response, error) {`
			`// Short-circuit here if there's no client token provided`
			`if req.ClientToken == "" {`
			`return nil, fmt.Errorf("client token empty")`
			`}`

			`// Load the ACL policies so we can check for access and filter namespaces`
			`_, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entity != nil && entity.Disabled {`
			`b.logger.Warn("permission denied as the entity on the token is disabled")`
			`return nil, logical.ErrPermissionDenied`
			`}`
			`if te != nil && te.EntityID != "" && entity == nil {`
			`b.logger.Warn("permission denied as the entity on the token is invalid")`
			`return nil, logical.ErrPermissionDenied`
			`}`

			`return logical.ListResponse([]string{""}), nil`
			`}`
			`}`

			`pathLicenseRead = func(b *SystemBackend) framework.OperationFunc {`
			`return func(ctx context.Context, req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`return nil, nil`
			`}`
			`}`

			`pathLicenseUpdate = func(b *SystemBackend) framework.OperationFunc {`
			`return func(ctx context.Context, req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`return nil, nil`
			`}`
			`}`

			`entPaths = func(b SystemBackend) []framework.Path {`
			`return []*framework.Path{`
			`{`
			`Pattern: "replication/status",`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: func(ctx context.Context, req logical.Request, data framework.FieldData) (*logical.Response, error) {`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
			`"mode": "disabled",`
			`},`
			`}`
			`return resp, nil`
			`},`
			`},`
			`},`
			`}`
			`}`
Added upstream changes from enterprise to OSS (#6419) 2019-03-15 13:25:05 +00:00
			`checkRaw = func(b *SystemBackend, path string) error { return nil }`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00			`)`

			`// tuneMount is used to set config on a mount point`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b SystemBackend) tuneMountTTLs(ctx context.Context, path string, me MountEntry, newDefault, newMax time.Duration) error {`
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`zero := time.Duration(0)`
Understand local when persisting mount tables, to avoid invalidations when not necessary (#2427) 2017-03-02 19:37:59 +00:00
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`switch {`
			`case newDefault == zero && newMax == zero:`
			`// No checks needed`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`case newDefault == zero && newMax != zero:`
			`// No default/max conflict, no checks needed`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`case newDefault != zero && newMax == zero:`
			`// No default/max conflict, no checks needed`
Fix up per-backend timing logic; also fix error in TypeDurationSecond in GetOkErr. 2015-09-21 13:39:37 +00:00
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`case newDefault != zero && newMax != zero:`
			`if newMax < newDefault {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return fmt.Errorf("backend max lease TTL of %d would be less than backend default lease TTL of %d", int(newMax.Seconds()), int(newDefault.Seconds()))`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00			`}`
			`}`

Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`origMax := me.Config.MaxLeaseTTL`
			`origDefault := me.Config.DefaultLeaseTTL`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`me.Config.MaxLeaseTTL = newMax`
			`me.Config.DefaultLeaseTTL = newDefault`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00
			`// Update the mount table`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00			`var err error`
			`switch {`
Sync 2017-10-23 19:35:28 +00:00			`case strings.HasPrefix(path, credentialRoutePrefix):`
Port some ent mount changes (#4330) 2018-04-11 18:32:55 +00:00			`err = b.Core.persistAuth(ctx, b.Core.auth, &me.Local)`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00			`default:`
Port some ent mount changes (#4330) 2018-04-11 18:32:55 +00:00			`err = b.Core.persistMounts(ctx, b.Core.mounts, &me.Local)`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00			`}`
			`if err != nil {`
Simplify a lot of the mount tuning code (#3285) 2017-09-05 14:57:25 +00:00			`me.Config.MaxLeaseTTL = origMax`
			`me.Config.DefaultLeaseTTL = origDefault`
Properly persist auth mount tuning 2016-05-03 18:24:04 +00:00			`return fmt.Errorf("failed to update mount table, rolling back TTL changes")`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00			`}`
Convert to logxi 2016-08-19 20:45:17 +00:00			`if b.Core.logger.IsInfo() {`
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go 2018-04-03 00:46:59 +00:00			`b.Core.logger.Info("mount tuning of leases successful", "path", path)`
Convert to logxi 2016-08-19 20:45:17 +00:00			`}`
Address items from feedback. Make MountConfig use values rather than pointers and change how config is read to compensate. 2015-09-09 19:24:45 +00:00
			`return nil`
			`}`