luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Make cubbyhole revocation/tidying compatible with cubbys in namespaces. (#11408)

This commit is contained in:
Nick Cabatoff 2021-04-19 17:28:04 -04:00 committed by GitHub
parent 449a45baaa
commit 474c4e8134
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/11408.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix cleanup of storage entries from cubbyholes within namespaces.
```

4
vault/logical_cubbyhole.go
View File

@ -83,12 +83,12 @@ func (b *CubbyholeBackend) paths() []*framework.Path {
} }
} }
func (b *CubbyholeBackend) revoke(ctx context.Context, saltedToken string) error { func (b *CubbyholeBackend) revoke(ctx context.Context, view *BarrierView, saltedToken string) error {
if saltedToken == "" { if saltedToken == "" {
return fmt.Errorf("client token empty during revocation") return fmt.Errorf("client token empty during revocation")
} }
if err := logical.ClearView(ctx, b.storageView.(*BarrierView).SubView(saltedToken+"/")); err != nil { if err := logical.ClearView(ctx, view.SubView(saltedToken+"/")); err != nil {
return err return err
} }

20
vault/token_store.go
View File

@ -86,19 +86,25 @@ var (
return errors.New("nil token entry") return errors.New("nil token entry")
} }
storage := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
if storage == nil {
return fmt.Errorf("no cubby mount entry")
}
view := storage.(*BarrierView)
switch { switch {
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(te.ID, "s."): case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(te.ID, "s."):
saltedID, err := ts.SaltID(ctx, te.ID) saltedID, err := ts.SaltID(ctx, te.ID)
if err != nil { if err != nil {
return err return err
} }
return ts.cubbyholeBackend.revoke(ctx, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash)) return ts.cubbyholeBackend.revoke(ctx, view, salt.SaltID(ts.cubbyholeBackend.saltUUID, saltedID, salt.SHA1Hash))
default: default:
if te.CubbyholeID == "" { if te.CubbyholeID == "" {
return fmt.Errorf("missing cubbyhole ID while destroying") return fmt.Errorf("missing cubbyhole ID while destroying")
} }
return ts.cubbyholeBackend.revoke(ctx, te.CubbyholeID) return ts.cubbyholeBackend.revoke(ctx, view, te.CubbyholeID)
} }
} }
) )
@ -1819,7 +1825,13 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
} }
// List all the cubbyhole storage keys // List all the cubbyhole storage keys
cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(quitCtx, "") view := ts.core.router.MatchingStorageByAPIPath(ctx, cubbyholeMountPath)
if view == nil {
return fmt.Errorf("no cubby mount entry")
}
bview := view.(*BarrierView)
cubbyholeKeys, err := bview.List(quitCtx, "")
if err != nil { if err != nil {
return errwrap.Wrapf("failed to fetch cubbyhole storage keys: {{err}}", err) return errwrap.Wrapf("failed to fetch cubbyhole storage keys: {{err}}", err)
} }
@ -2016,7 +2028,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
key := strings.TrimSuffix(key, "/") key := strings.TrimSuffix(key, "/")
if !validCubbyholeKeys[key] { if !validCubbyholeKeys[key] {
ts.logger.Info("deleting invalid cubbyhole", "key", key) ts.logger.Info("deleting invalid cubbyhole", "key", key)
err = ts.cubbyholeBackend.revoke(quitCtx, key) err = ts.cubbyholeBackend.revoke(quitCtx, bview, key)
if err != nil { if err != nil {
tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to revoke cubbyhole key %q: {{err}}", key), err)) tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to revoke cubbyhole key %q: {{err}}", key), err))
} }