backport of commit c040f901e57d2d04772827b52f7b052757986897 (#22135)

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2023-07-31 13:57:29 -04:00 · 2023-07-31 13:57:29 -04:00 · 3fb1a15a4f
parent 3d653cfc9e
commit 3fb1a15a4f
3 changed files with 42 additions and 16 deletions
--- a/changelog/21925.txt
+++ b/changelog/21925.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+kmip (enterprise): Add namespace lock and unlock support
+```
--- a/sdk/logical/system_view.go
+++ b/sdk/logical/system_view.go
@ -107,27 +107,32 @@ type PasswordPolicy interface {
 type ExtendedSystemView interface {
 	Auditor() Auditor
 	ForwardGenericRequest(context.Context, *Request) (*Response, error)
+
+	// APILockShouldBlockRequest returns whether a namespace for the requested
+	// mount is locked and should be blocked
+	APILockShouldBlockRequest() (bool, error)
 }

 type PasswordGenerator func() (password string, err error)

 type StaticSystemView struct {
-	DefaultLeaseTTLVal  time.Duration
-	MaxLeaseTTLVal      time.Duration
-	SudoPrivilegeVal    bool
-	TaintedVal          bool
-	CachingDisabledVal  bool
-	Primary             bool
-	EnableMlock         bool
-	LocalMountVal       bool
-	ReplicationStateVal consts.ReplicationState
-	EntityVal           *Entity
-	GroupsVal           []*Group
-	Features            license.Features
-	PluginEnvironment   *PluginEnvironment
-	PasswordPolicies    map[string]PasswordGenerator
-	VersionString       string
-	ClusterUUID         string
+	DefaultLeaseTTLVal           time.Duration
+	MaxLeaseTTLVal               time.Duration
+	SudoPrivilegeVal             bool
+	TaintedVal                   bool
+	CachingDisabledVal           bool
+	Primary                      bool
+	EnableMlock                  bool
+	LocalMountVal                bool
+	ReplicationStateVal          consts.ReplicationState
+	EntityVal                    *Entity
+	GroupsVal                    []*Group
+	Features                     license.Features
+	PluginEnvironment            *PluginEnvironment
+	PasswordPolicies             map[string]PasswordGenerator
+	VersionString                string
+	ClusterUUID                  string
+	APILockShouldBlockRequestVal bool
 }

 type noopAuditor struct{}
@ -253,3 +258,7 @@ func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) {
 func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) {
 	return d.ClusterUUID, nil
 }
+
+func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) {
+	return d.APILockShouldBlockRequestVal, nil
+}
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@ -136,6 +136,20 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string,
 	return authResults.RootPrivs
 }

+func (e extendedSystemViewImpl) APILockShouldBlockRequest() (bool, error) {
+	mountEntry := e.mountEntry
+	if mountEntry == nil {
+		return false, fmt.Errorf("no mount entry")
+	}
+	ns := mountEntry.Namespace()
+
+	if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
 	def, _ := d.fetchTTLs()
 	return def