Allow wrapping to be specified by backends, and take the lesser of the request/response times (#2088)
This commit is contained in:
Jeff Mitchell
GitHub
parent
db9dbdeb86
commit
6c1d2ffea9
|
|
@ -1679,11 +1679,13 @@ func (b *SystemBackend) handleWrappingRewrap(
|
|||
|
||||
// Return response in "response"; wrapping code will detect the rewrap and
|
||||
// slot in instead of nesting
|
||||
req.WrapTTL = time.Duration(creationTTL)
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
"response": response,
|
||||
},
|
||||
WrapInfo: &logical.WrapInfo{
|
||||
TTL: time.Duration(creationTTL),
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -186,12 +186,29 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
|
|||
// Route the request
|
||||
resp, err := c.router.Route(req)
|
||||
if resp != nil {
|
||||
// We don't allow backends to specify this, so ensure it's not set
|
||||
resp.WrapInfo = nil
|
||||
// If wrapping is used, use the shortest between the request and response
|
||||
var wrapTTL time.Duration
|
||||
|
||||
if req.WrapTTL != 0 {
|
||||
// Ensure no wrap info information is set other than, possibly, the TTL
|
||||
if resp.WrapInfo != nil {
|
||||
if resp.WrapInfo.TTL > 0 {
|
||||
wrapTTL = resp.WrapInfo.TTL
|
||||
}
|
||||
resp.WrapInfo = nil
|
||||
}
|
||||
|
||||
if req.WrapTTL > 0 {
|
||||
switch {
|
||||
case wrapTTL == 0:
|
||||
wrapTTL = req.WrapTTL
|
||||
case req.WrapTTL < wrapTTL:
|
||||
wrapTTL = req.WrapTTL
|
||||
}
|
||||
}
|
||||
|
||||
if wrapTTL > 0 {
|
||||
resp.WrapInfo = &logical.WrapInfo{
|
||||
TTL: req.WrapTTL,
|
||||
TTL: wrapTTL,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -306,14 +323,32 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
|
|||
// Route the request
|
||||
resp, err := c.router.Route(req)
|
||||
if resp != nil {
|
||||
// We don't allow backends to specify this, so ensure it's not set
|
||||
resp.WrapInfo = nil
|
||||
// If wrapping is used, use the shortest between the request and response
|
||||
var wrapTTL time.Duration
|
||||
|
||||
if req.WrapTTL != 0 {
|
||||
resp.WrapInfo = &logical.WrapInfo{
|
||||
TTL: req.WrapTTL,
|
||||
// Ensure no wrap info information is set other than, possibly, the TTL
|
||||
if resp.WrapInfo != nil {
|
||||
if resp.WrapInfo.TTL > 0 {
|
||||
wrapTTL = resp.WrapInfo.TTL
|
||||
}
|
||||
resp.WrapInfo = nil
|
||||
}
|
||||
|
||||
if req.WrapTTL > 0 {
|
||||
switch {
|
||||
case wrapTTL == 0:
|
||||
wrapTTL = req.WrapTTL
|
||||
case req.WrapTTL < wrapTTL:
|
||||
wrapTTL = req.WrapTTL
|
||||
}
|
||||
}
|
||||
|
||||
if wrapTTL > 0 {
|
||||
resp.WrapInfo = &logical.WrapInfo{
|
||||
TTL: wrapTTL,
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// A login request should never return a secret!
|
||||
|
|
|
|||
|
|
@ -263,12 +263,7 @@ func (r *Router) routeCommon(req *logical.Request, existenceCheck bool) (*logica
|
|||
req.ID = originalReqID
|
||||
req.Storage = nil
|
||||
req.ClientToken = clientToken
|
||||
|
||||
// Only the rewrap endpoint is allowed to declare a wrap TTL on a
|
||||
// request that did not come from the client
|
||||
if req.Path != "sys/wrapping/rewrap" {
|
||||
req.WrapTTL = originalWrapTTL
|
||||
}
|
||||
req.WrapTTL = originalWrapTTL
|
||||
}()
|
||||
|
||||
// Invoke the backend
|
||||
|
|
|
|||
Loading…
Reference in New Issue