Sync over
This commit is contained in:
Jeff Mitchell
parent
88650026c4
commit
4aa4a0665f
|
|
@ -516,6 +516,21 @@ func DeriveActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestCluste
|
|||
return nil
|
||||
}
|
||||
|
||||
func DeriveStandbyCores(t testing.T, cluster *vault.TestCluster) []*vault.TestClusterCore {
|
||||
cores := make([]*vault.TestClusterCore, 0, 2)
|
||||
for _, core := range cluster.Cores {
|
||||
leaderResp, err := core.Client.Sys().Leader()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !leaderResp.IsSelf {
|
||||
cores = append(cores, core)
|
||||
}
|
||||
}
|
||||
|
||||
return cores
|
||||
}
|
||||
|
||||
func WaitForNCoresSealed(t testing.T, cluster *vault.TestCluster, n int) {
|
||||
t.Helper()
|
||||
for i := 0; i < 30; i++ {
|
||||
|
|
@ -579,3 +594,16 @@ func WaitForMatchingMerkleRoots(t testing.T, endpoint string, primary, secondary
|
|||
|
||||
t.Fatalf("roots did not become equal")
|
||||
}
|
||||
|
||||
func WaitForWAL(t testing.T, c *vault.TestClusterCore, wal uint64) {
|
||||
timeout := time.Now().Add(3 * time.Second)
|
||||
for {
|
||||
if time.Now().After(timeout) {
|
||||
t.Fatal("timeout waiting for WAL")
|
||||
}
|
||||
if vault.LastRemoteWAL(c.Core) >= wal {
|
||||
break
|
||||
}
|
||||
time.Sleep(1 * time.Second)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -136,6 +136,11 @@ func (c *Core) disableAudit(ctx context.Context, path string, updateStorage bool
|
|||
path += "/"
|
||||
}
|
||||
|
||||
// Ensure there is a name
|
||||
if path == "/" {
|
||||
return false, fmt.Errorf("backend path must be specified")
|
||||
}
|
||||
|
||||
// Remove the entry from the mount table
|
||||
c.auditLock.Lock()
|
||||
defer c.auditLock.Unlock()
|
||||
|
|
|
|||
|
|
@ -734,8 +734,11 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
|
|||
repState := b.Core.ReplicationState()
|
||||
|
||||
local := data.Get("local").(bool)
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot add a non-local mount to a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Get all the options
|
||||
|
|
@ -930,8 +933,12 @@ func (b *SystemBackend) handleUnmount(ctx context.Context, req *logical.Request,
|
|||
|
||||
repState := b.Core.ReplicationState()
|
||||
entry := b.Core.router.MatchingMountEntry(ctx, path)
|
||||
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot unmount a non-local mount on a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// We return success when the mount does not exists to not expose if the
|
||||
|
|
@ -976,8 +983,11 @@ func (b *SystemBackend) handleRemount(ctx context.Context, req *logical.Request,
|
|||
}
|
||||
|
||||
entry := b.Core.router.MatchingMountEntry(ctx, fromPath)
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot remount a non-local mount on a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Attempt remount
|
||||
|
|
@ -1113,7 +1123,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
|
|||
return handleError(fmt.Errorf("tune of path %q failed: no mount entry found", path))
|
||||
}
|
||||
if mountEntry != nil && !mountEntry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot tune a non-local mount on a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
var lock *sync.RWMutex
|
||||
|
|
@ -1134,7 +1144,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
|
|||
return handleError(fmt.Errorf("tune of path %q failed: no mount entry found", path))
|
||||
}
|
||||
if mountEntry != nil && !mountEntry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot tune a non-local mount on a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Timing configuration parameters
|
||||
|
|
@ -1197,7 +1207,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
|
|||
return handleError(err)
|
||||
}
|
||||
if b.Core.logger.IsInfo() {
|
||||
b.Core.logger.Info("mount tuning of description successful", "path", path)
|
||||
b.Core.logger.Info("mount tuning of description successful", "path", path, "description", description)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1657,8 +1667,12 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques
|
|||
func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
repState := b.Core.ReplicationState()
|
||||
local := data.Get("local").(bool)
|
||||
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot add a non-local mount to a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Get all the options
|
||||
|
|
@ -1812,8 +1826,12 @@ func (b *SystemBackend) handleDisableAuth(ctx context.Context, req *logical.Requ
|
|||
|
||||
repState := b.Core.ReplicationState()
|
||||
entry := b.Core.router.MatchingMountEntry(ctx, fullPath)
|
||||
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if entry != nil && !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot unmount a non-local mount on a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// We return success when the mount does not exists to not expose if the
|
||||
|
|
@ -2049,8 +2067,11 @@ func (b *SystemBackend) handleEnableAudit(ctx context.Context, req *logical.Requ
|
|||
repState := b.Core.ReplicationState()
|
||||
|
||||
local := data.Get("local").(bool)
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if !local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return logical.ErrorResponse("cannot add a non-local mount to a replication secondary"), nil
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Get all the options
|
||||
|
|
@ -2081,6 +2102,35 @@ func (b *SystemBackend) handleEnableAudit(ctx context.Context, req *logical.Requ
|
|||
func (b *SystemBackend) handleDisableAudit(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
path := data.Get("path").(string)
|
||||
|
||||
if !strings.HasSuffix(path, "/") {
|
||||
path += "/"
|
||||
}
|
||||
|
||||
if path == "/" {
|
||||
return handleError(errors.New("audit device path must be specified"))
|
||||
}
|
||||
|
||||
b.Core.auditLock.RLock()
|
||||
table := b.Core.audit.shallowClone()
|
||||
entry, err := table.find(ctx, path)
|
||||
b.Core.auditLock.RUnlock()
|
||||
|
||||
if err != nil {
|
||||
return handleError(err)
|
||||
}
|
||||
if entry == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
repState := b.Core.ReplicationState()
|
||||
|
||||
// If we are a performance secondary cluster we should forward the request
|
||||
// to the primary. We fail early here since the view in use isn't marked as
|
||||
// readonly
|
||||
if !entry.Local && repState.HasState(consts.ReplicationPerformanceSecondary) {
|
||||
return nil, logical.ErrReadOnly
|
||||
}
|
||||
|
||||
// Attempt disable
|
||||
if existed, err := b.Core.disableAudit(ctx, path, true); existed && err != nil {
|
||||
b.Backend.Logger().Error("disable audit mount failed", "path", path, "error", err)
|
||||
|
|
|
|||
|
|
@ -174,6 +174,21 @@ func (t *MountTable) remove(ctx context.Context, path string) (*MountEntry, erro
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
func (t *MountTable) find(ctx context.Context, path string) (*MountEntry, error) {
|
||||
n := len(t.Entries)
|
||||
ns, err := namespace.FromContext(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for i := 0; i < n; i++ {
|
||||
if entry := t.Entries[i]; entry.Path == path && entry.Namespace().ID == ns.ID {
|
||||
return entry, nil
|
||||
}
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// sortEntriesByPath sorts the entries in the table by path and returns the
|
||||
// table; this is useful for tests
|
||||
func (t *MountTable) sortEntriesByPath() *MountTable {
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ import (
|
|||
log "github.com/hashicorp/go-hclog"
|
||||
"github.com/mitchellh/copystructure"
|
||||
|
||||
"golang.org/x/crypto/ed25519"
|
||||
"golang.org/x/crypto/ssh"
|
||||
"golang.org/x/net/http2"
|
||||
|
||||
|
|
@ -637,6 +638,26 @@ func (n *noopAudit) Salt(ctx context.Context) (*salt.Salt, error) {
|
|||
return salt, nil
|
||||
}
|
||||
|
||||
func AddNoopAudit(conf *CoreConfig) {
|
||||
conf.AuditBackends = map[string]audit.Factory{
|
||||
"noop": func(_ context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
||||
view := &logical.InmemStorage{}
|
||||
view.Put(context.Background(), &logical.StorageEntry{
|
||||
Key: "salt",
|
||||
Value: []byte("foo"),
|
||||
})
|
||||
config.SaltConfig = &salt.Config{
|
||||
HMAC: sha256.New,
|
||||
HMACType: "hmac-sha256",
|
||||
}
|
||||
config.SaltView = view
|
||||
return &noopAudit{
|
||||
Config: config,
|
||||
}, nil
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
type rawHTTP struct{}
|
||||
|
||||
func (n *rawHTTP) HandleRequest(ctx context.Context, req *logical.Request) (*logical.Response, error) {
|
||||
|
|
@ -1250,6 +1271,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
|
|||
coreConfig.DisableSealWrap = base.DisableSealWrap
|
||||
coreConfig.DevLicenseDuration = base.DevLicenseDuration
|
||||
coreConfig.DisableCache = base.DisableCache
|
||||
coreConfig.LicensingConfig = base.LicensingConfig
|
||||
if base.BuiltinRegistry != nil {
|
||||
coreConfig.BuiltinRegistry = base.BuiltinRegistry
|
||||
}
|
||||
|
|
@ -1336,7 +1358,12 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
|
|||
localConfig.Logger = opts.Logger.Named(fmt.Sprintf("core%d", i))
|
||||
}
|
||||
|
||||
localConfig.LicensingConfig = testGetLicensingConfig(pubKey)
|
||||
switch {
|
||||
case localConfig.LicensingConfig != nil:
|
||||
localConfig.LicensingConfig.AdditionalPublicKeys = append(localConfig.LicensingConfig.AdditionalPublicKeys, pubKey.(ed25519.PublicKey))
|
||||
default:
|
||||
localConfig.LicensingConfig = testGetLicensingConfig(pubKey)
|
||||
}
|
||||
|
||||
c, err := NewCore(&localConfig)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue