From 3fb1a15a4ff26e99859ba38dd619f1572d286af4 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 31 Jul 2023 13:57:29 -0400 Subject: [PATCH] backport of commit c040f901e57d2d04772827b52f7b052757986897 (#22135) Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com> --- changelog/21925.txt | 3 +++ sdk/logical/system_view.go | 41 ++++++++++++++++++++++-------------- vault/dynamic_system_view.go | 14 ++++++++++++ 3 files changed, 42 insertions(+), 16 deletions(-) create mode 100644 changelog/21925.txt diff --git a/changelog/21925.txt b/changelog/21925.txt new file mode 100644 index 000000000..ca89ff75a --- /dev/null +++ b/changelog/21925.txt @@ -0,0 +1,3 @@ +```release-note:improvement +kmip (enterprise): Add namespace lock and unlock support +``` diff --git a/sdk/logical/system_view.go b/sdk/logical/system_view.go index 7301c752a..a4ec6483d 100644 --- a/sdk/logical/system_view.go +++ b/sdk/logical/system_view.go @@ -107,27 +107,32 @@ type PasswordPolicy interface { type ExtendedSystemView interface { Auditor() Auditor ForwardGenericRequest(context.Context, *Request) (*Response, error) + + // APILockShouldBlockRequest returns whether a namespace for the requested + // mount is locked and should be blocked + APILockShouldBlockRequest() (bool, error) } type PasswordGenerator func() (password string, err error) type StaticSystemView struct { - DefaultLeaseTTLVal time.Duration - MaxLeaseTTLVal time.Duration - SudoPrivilegeVal bool - TaintedVal bool - CachingDisabledVal bool - Primary bool - EnableMlock bool - LocalMountVal bool - ReplicationStateVal consts.ReplicationState - EntityVal *Entity - GroupsVal []*Group - Features license.Features - PluginEnvironment *PluginEnvironment - PasswordPolicies map[string]PasswordGenerator - VersionString string - ClusterUUID string + DefaultLeaseTTLVal time.Duration + MaxLeaseTTLVal time.Duration + SudoPrivilegeVal bool + TaintedVal bool + CachingDisabledVal bool + Primary bool + EnableMlock bool + LocalMountVal bool + ReplicationStateVal consts.ReplicationState + EntityVal *Entity + GroupsVal []*Group + Features license.Features + PluginEnvironment *PluginEnvironment + PasswordPolicies map[string]PasswordGenerator + VersionString string + ClusterUUID string + APILockShouldBlockRequestVal bool } type noopAuditor struct{} @@ -253,3 +258,7 @@ func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) { func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) { return d.ClusterUUID, nil } + +func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) { + return d.APILockShouldBlockRequestVal, nil +} diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go index 8c547b671..a33596a1e 100644 --- a/vault/dynamic_system_view.go +++ b/vault/dynamic_system_view.go @@ -136,6 +136,20 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string, return authResults.RootPrivs } +func (e extendedSystemViewImpl) APILockShouldBlockRequest() (bool, error) { + mountEntry := e.mountEntry + if mountEntry == nil { + return false, fmt.Errorf("no mount entry") + } + ns := mountEntry.Namespace() + + if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil { + return true, nil + } + + return false, nil +} + func (d dynamicSystemView) DefaultLeaseTTL() time.Duration { def, _ := d.fetchTTLs() return def