Move cert auth backend setup into initialize (#18885)

* Move cert auth backend setup into initialize In further review with new understanding after #18244, loading configuration and CRLs within the backend's initialize function is the ideal approach: Factory construction is strictly serial, resulting in backend initialization blocking until config and CRLs are loaded. By using an InitializeFunc(...), we delay loading until after all backends are constructed (either right on startup in 1.12+, else during the initial PeriodicFunc(...) invocation on 1.11 and earlier). We also invoke initialize automatically on test Factory construction. Resolves: #17847 Co-authored-by: valli_0x <personallune@mail.ru> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: valli_0x <personallune@mail.ru>
2023-01-27 12:42:13 -05:00 · 2023-01-27 12:42:13 -05:00 · 419a92a632
parent 235746b98d
commit 419a92a632
3 changed files with 32 additions and 14 deletions
--- a/builtin/credential/cert/backend.go
+++ b/builtin/credential/cert/backend.go
@ -23,16 +23,6 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 	if err := b.Setup(ctx, conf); err != nil {
 		return nil, err
 	}
-	bConf, err := b.Config(ctx, conf.StorageView)
-	if err != nil {
-		return nil, err
-	}
-	if bConf != nil {
-		b.updatedConfig(bConf)
-	}
-	if err := b.lockThenpopulateCRLs(ctx, conf.StorageView); err != nil {
-		return nil, err
-	}
 	return b, nil
 }

@ -53,10 +43,11 @@ func Backend() *backend {
 			pathListCRLs(&b),
 			pathCRLs(&b),
 		},
-		AuthRenew:    b.pathLoginRenew,
-		Invalidate:   b.invalidate,
-		BackendType:  logical.TypeCredential,
-		PeriodicFunc: b.updateCRLs,
+		AuthRenew:      b.pathLoginRenew,
+		Invalidate:     b.invalidate,
+		BackendType:    logical.TypeCredential,
+		InitializeFunc: b.initialize,
+		PeriodicFunc:   b.updateCRLs,
 	}

 	b.crlUpdateMutex = &sync.RWMutex{}
@ -74,6 +65,25 @@ type backend struct {
 	configUpdated   atomic.Bool
 }

+func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error {
+	bConf, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		b.Logger().Error(fmt.Sprintf("failed to load backend configuration: %v", err))
+		return err
+	}
+
+	if bConf != nil {
+		b.updatedConfig(bConf)
+	}
+
+	if err := b.lockThenpopulateCRLs(ctx, req.Storage); err != nil {
+		b.Logger().Error(fmt.Sprintf("failed to populate CRLs: %v", err))
+		return err
+	}
+
+	return nil
+}
+
 func (b *backend) invalidate(_ context.Context, key string) {
 	switch {
 	case strings.HasPrefix(key, "crls/"):
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@ -1103,6 +1103,11 @@ func testFactory(t *testing.T) logical.Backend {
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
+	if err := b.Initialize(context.Background(), &logical.InitializationRequest{
+		Storage: storage,
+	}); err != nil {
+		t.Fatalf("error: %s", err)
+	}
 	return b
 }

--- a/changelog/18885.txt
+++ b/changelog/18885.txt
@ -0,0 +1,3 @@
+```release-note:enhancement
+auth/cert: Load config, crls from InitializeFunc to allow parallel processing.
+```