From 419a92a6322cc6dd9970116e3ca9304fb6454b18 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 27 Jan 2023 12:42:13 -0500 Subject: [PATCH] Move cert auth backend setup into initialize (#18885) * Move cert auth backend setup into initialize In further review with new understanding after #18244, loading configuration and CRLs within the backend's initialize function is the ideal approach: Factory construction is strictly serial, resulting in backend initialization blocking until config and CRLs are loaded. By using an InitializeFunc(...), we delay loading until after all backends are constructed (either right on startup in 1.12+, else during the initial PeriodicFunc(...) invocation on 1.11 and earlier). We also invoke initialize automatically on test Factory construction. Resolves: #17847 Co-authored-by: valli_0x Signed-off-by: Alexander Scheel * Add changelog entry Signed-off-by: Alexander Scheel --------- Signed-off-by: Alexander Scheel Co-authored-by: valli_0x --- builtin/credential/cert/backend.go | 38 ++++++++++++++++--------- builtin/credential/cert/backend_test.go | 5 ++++ changelog/18885.txt | 3 ++ 3 files changed, 32 insertions(+), 14 deletions(-) create mode 100644 changelog/18885.txt diff --git a/builtin/credential/cert/backend.go b/builtin/credential/cert/backend.go index 81dba0a80..72089037a 100644 --- a/builtin/credential/cert/backend.go +++ b/builtin/credential/cert/backend.go @@ -23,16 +23,6 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, if err := b.Setup(ctx, conf); err != nil { return nil, err } - bConf, err := b.Config(ctx, conf.StorageView) - if err != nil { - return nil, err - } - if bConf != nil { - b.updatedConfig(bConf) - } - if err := b.lockThenpopulateCRLs(ctx, conf.StorageView); err != nil { - return nil, err - } return b, nil } @@ -53,10 +43,11 @@ func Backend() *backend { pathListCRLs(&b), pathCRLs(&b), }, - AuthRenew: b.pathLoginRenew, - Invalidate: b.invalidate, - BackendType: logical.TypeCredential, - PeriodicFunc: b.updateCRLs, + AuthRenew: b.pathLoginRenew, + Invalidate: b.invalidate, + BackendType: logical.TypeCredential, + InitializeFunc: b.initialize, + PeriodicFunc: b.updateCRLs, } b.crlUpdateMutex = &sync.RWMutex{} @@ -74,6 +65,25 @@ type backend struct { configUpdated atomic.Bool } +func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error { + bConf, err := b.Config(ctx, req.Storage) + if err != nil { + b.Logger().Error(fmt.Sprintf("failed to load backend configuration: %v", err)) + return err + } + + if bConf != nil { + b.updatedConfig(bConf) + } + + if err := b.lockThenpopulateCRLs(ctx, req.Storage); err != nil { + b.Logger().Error(fmt.Sprintf("failed to populate CRLs: %v", err)) + return err + } + + return nil +} + func (b *backend) invalidate(_ context.Context, key string) { switch { case strings.HasPrefix(key, "crls/"): diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index c56ecefad..f7e238500 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -1103,6 +1103,11 @@ func testFactory(t *testing.T) logical.Backend { if err != nil { t.Fatalf("error: %s", err) } + if err := b.Initialize(context.Background(), &logical.InitializationRequest{ + Storage: storage, + }); err != nil { + t.Fatalf("error: %s", err) + } return b } diff --git a/changelog/18885.txt b/changelog/18885.txt new file mode 100644 index 000000000..99878c89c --- /dev/null +++ b/changelog/18885.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +auth/cert: Load config, crls from InitializeFunc to allow parallel processing. +```