backport of commit c5549cdac681676ae52ea173d737ee1c5d1949a2 (#21272)

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-06-15 16:41:45 -04:00 committed by GitHub
parent 66fc3d6154
commit 3ddd7a14f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 80 additions and 38 deletions

4
changelog/21260.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation.
```

View File

@ -11,9 +11,18 @@ import (
"time" "time"
"github.com/hashicorp/go-hclog" "github.com/hashicorp/go-hclog"
logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
"github.com/hashicorp/vault/audit"
auditFile "github.com/hashicorp/vault/builtin/audit/file"
auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
logicalDb "github.com/hashicorp/vault/builtin/logical/database"
"github.com/hashicorp/vault/builtin/plugin"
"github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/helper/testhelpers"
"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
vaulthttp "github.com/hashicorp/vault/http" vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/physical/raft" "github.com/hashicorp/vault/physical/raft"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical" "github.com/hashicorp/vault/sdk/physical"
physFile "github.com/hashicorp/vault/sdk/physical/file" physFile "github.com/hashicorp/vault/sdk/physical/file"
"github.com/hashicorp/vault/sdk/physical/inmem" "github.com/hashicorp/vault/sdk/physical/inmem"
@ -241,5 +250,28 @@ func ClusterSetup(conf *vault.CoreConfig, opts *vault.TestClusterOptions, setup
setup = InmemBackendSetup setup = InmemBackendSetup
} }
setup(&localConf, &localOpts) setup(&localConf, &localOpts)
if localConf.CredentialBackends == nil {
localConf.CredentialBackends = map[string]logical.Factory{
"plugin": plugin.Factory,
}
}
if localConf.LogicalBackends == nil {
localConf.LogicalBackends = map[string]logical.Factory{
"plugin": plugin.Factory,
"database": logicalDb.Factory,
// This is also available in the plugin catalog, but is here due to the need to
// automatically mount it.
"kv": logicalKv.Factory,
}
}
if localConf.AuditBackends == nil {
localConf.AuditBackends = map[string]audit.Factory{
"file": auditFile.Factory,
"socket": auditSocket.Factory,
"syslog": auditSyslog.Factory,
"noop": corehelpers.NoopAuditFactory(nil),
}
}
return &localConf, &localOpts return &localConf, &localOpts
} }

View File

@ -64,16 +64,6 @@ func (c *Core) enableCredential(ctx context.Context, entry *MountEntry) error {
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
// We failed to evaluate filtered paths so we are undoing the mount operation
if disableCredentialErr := c.disableCredentialInternal(ctx, entry.Path, MountTableUpdateStorage); disableCredentialErr != nil {
c.logger.Error("failed to disable credential", "error", disableCredentialErr)
}
return err
}
return nil return nil
} }
@ -89,8 +79,13 @@ func (c *Core) enableCredentialInternal(ctx context.Context, entry *MountEntry,
return fmt.Errorf("backend path must be specified") return fmt.Errorf("backend path must be specified")
} }
c.mountsLock.Lock()
c.authLock.Lock() c.authLock.Lock()
defer c.authLock.Unlock() unlock := func() {
c.authLock.Unlock()
c.mountsLock.Unlock()
}
defer unlock()
ns, err := namespace.FromContext(ctx) ns, err := namespace.FromContext(ctx)
if err != nil { if err != nil {
@ -224,6 +219,19 @@ func (c *Core) enableCredentialInternal(ctx context.Context, entry *MountEntry,
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c, false); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
unlock()
unlock = func() {}
// We failed to evaluate filtered paths so we are undoing the mount operation
if disableCredentialErr := c.disableCredentialInternal(ctx, entry.Path, MountTableUpdateStorage); disableCredentialErr != nil {
c.logger.Error("failed to disable credential", "error", disableCredentialErr)
}
return err
}
if !nilMount { if !nilMount {
// restore the original readOnlyErr, so we can write to the view in // restore the original readOnlyErr, so we can write to the view in
// Initialize() if necessary // Initialize() if necessary
@ -259,7 +267,7 @@ func (c *Core) disableCredential(ctx context.Context, path string) error {
} }
// Re-evaluate filtered paths // Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil { if err := runFilteredPathsEvaluation(ctx, c, true); err != nil {
// Even we failed to evaluate filtered paths, the unmount operation was still successful // Even we failed to evaluate filtered paths, the unmount operation was still successful
c.logger.Error("failed to evaluate filtered paths", "error", err) c.logger.Error("failed to evaluate filtered paths", "error", err)
} }
@ -526,11 +534,6 @@ func (c *Core) remountCredEntryForceInternal(ctx context.Context, path string, u
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
return err
}
return nil return nil
} }

View File

@ -3866,8 +3866,8 @@ func (c *Core) ListAuths() ([]*MountEntry, error) {
return nil, fmt.Errorf("vault is sealed") return nil, fmt.Errorf("vault is sealed")
} }
c.mountsLock.RLock() c.authLock.RLock()
defer c.mountsLock.RUnlock() defer c.authLock.RUnlock()
var entries []*MountEntry var entries []*MountEntry

View File

@ -567,23 +567,17 @@ func (c *Core) mount(ctx context.Context, entry *MountEntry) error {
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
// We failed to evaluate filtered paths so we are undoing the mount operation
if unmountInternalErr := c.unmountInternal(ctx, entry.Path, MountTableUpdateStorage); unmountInternalErr != nil {
c.logger.Error("failed to unmount", "error", unmountInternalErr)
}
return err
}
return nil return nil
} }
func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStorage bool) error { func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStorage bool) error {
c.mountsLock.Lock() c.mountsLock.Lock()
defer c.mountsLock.Unlock() c.authLock.Lock()
unlock := func() {
c.authLock.Unlock()
c.mountsLock.Unlock()
}
defer unlock()
ns, err := namespace.FromContext(ctx) ns, err := namespace.FromContext(ctx)
if err != nil { if err != nil {
@ -666,6 +660,7 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
if err != nil { if err != nil {
return err return err
} }
origReadOnlyErr := view.getReadOnlyErr() origReadOnlyErr := view.getReadOnlyErr()
// Mark the view as read-only until the mounting is complete and // Mark the view as read-only until the mounting is complete and
@ -734,6 +729,19 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c, false); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
unlock()
unlock = func() {}
// We failed to evaluate filtered paths so we are undoing the mount operation
if unmountInternalErr := c.unmountInternal(ctx, entry.Path, MountTableUpdateStorage); unmountInternalErr != nil {
c.logger.Error("failed to unmount", "error", unmountInternalErr)
}
return err
}
if !nilMount { if !nilMount {
// restore the original readOnlyErr, so we can write to the view in // restore the original readOnlyErr, so we can write to the view in
// Initialize() if necessary // Initialize() if necessary
@ -813,7 +821,7 @@ func (c *Core) unmount(ctx context.Context, path string) error {
} }
// Re-evaluate filtered paths // Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil { if err := runFilteredPathsEvaluation(ctx, c, true); err != nil {
// Even we failed to evaluate filtered paths, the unmount operation was still successful // Even we failed to evaluate filtered paths, the unmount operation was still successful
c.logger.Error("failed to evaluate filtered paths", "error", err) c.logger.Error("failed to evaluate filtered paths", "error", err)
} }
@ -1062,11 +1070,6 @@ func (c *Core) remountForceInternal(ctx context.Context, path string, updateStor
return err return err
} }
// Re-evaluate filtered paths
if err := runFilteredPathsEvaluation(ctx, c); err != nil {
c.logger.Error("failed to evaluate filtered paths", "error", err)
return err
}
return nil return nil
} }

View File

@ -28,7 +28,7 @@ func addKnownPath(*Core, string) {}
func preprocessMount(*Core, *MountEntry, *BarrierView) (bool, error) { return false, nil } func preprocessMount(*Core, *MountEntry, *BarrierView) (bool, error) { return false, nil }
func clearIgnoredPaths(context.Context, *Core, logical.Backend, string) error { return nil } func clearIgnoredPaths(context.Context, *Core, logical.Backend, string) error { return nil }
func addLicenseCallback(*Core, logical.Backend) {} func addLicenseCallback(*Core, logical.Backend) {}
func runFilteredPathsEvaluation(context.Context, *Core) error { return nil } func runFilteredPathsEvaluation(context.Context, *Core, bool) error { return nil }
// ViewPath returns storage prefix for the view // ViewPath returns storage prefix for the view
func (e *MountEntry) ViewPath() string { func (e *MountEntry) ViewPath() string {