luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377) 

This reverts commit 39bcd5c71529f5f4eb61aae68b17d06d192ea55f.
This commit is contained in:
John-Michael Faircloth 2022-07-20 10:36:23 -05:00 committed by GitHub
parent 047b3106ff
commit a5349bd1ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 439 additions and 740 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/plugin_helpers.go
View File

@ -17,10 +17,6 @@ import (
)
var (
// PluginAutoMTLSEnv ensures AutoMTLS is used. This overrides setting a
// TLSProviderFunc for a plugin.
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS"
// PluginMetadataModeEnv is an ENV name used to disable TLS communication
// to bootstrap mounting plugins.
PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
@ -124,7 +120,7 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
// VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
// wrapped TLS certificate from vault. It returns a configured TLS Config.
func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
if os.Getenv(PluginMetadataModeEnv) == "true" {
return nil
}

29
builtin/plugin/backend.go
View File

@ -9,7 +9,6 @@ import (
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-multierror"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
@ -52,32 +51,17 @@ func Backend(ctx context.Context, conf *logical.BackendConfig) (*PluginBackend,
sys := conf.System
merr := &multierror.Error{}
// NewBackend with isMetadataMode set to false
raw, err := bplugin.NewBackend(ctx, name, pluginType, sys, conf, false, true)
// NewBackend with isMetadataMode set to true
raw, err := bplugin.NewBackend(ctx, name, pluginType, sys, conf, true)
if err != nil {
merr = multierror.Append(merr, err)
// NewBackend with isMetadataMode set to true
raw, err = bplugin.NewBackend(ctx, name, pluginType, sys, conf, true, false)
if err != nil {
merr = multierror.Append(merr, err)
return nil, merr
}
} else {
b.Backend = raw
b.config = conf
b.loaded = true
b.autoMTLSSupported = true
return &b, nil
return nil, err
}
// Setup the backend so we can inspect the SpecialPaths and Type
err = raw.Setup(ctx, conf)
if err != nil {
raw.Cleanup(ctx)
return nil, err
}
// Get SpecialPaths and BackendType
paths := raw.SpecialPaths()
btype := raw.Type()
@ -101,8 +85,7 @@ type PluginBackend struct {
Backend logical.Backend
sync.RWMutex
autoMTLSSupported bool
config *logical.BackendConfig
config *logical.BackendConfig
// Used to detect if we already reloaded
canary string
@ -122,7 +105,7 @@ func (b *PluginBackend) startBackend(ctx context.Context, storage logical.Storag
// Ensure proper cleanup of the backend (i.e. call client.Kill())
b.Backend.Cleanup(ctx)
nb, err := bplugin.NewBackend(ctx, pluginName, pluginType, b.config.System, b.config, false, b.autoMTLSSupported)
nb, err := bplugin.NewBackend(ctx, pluginName, pluginType, b.config.System, b.config, false)
if err != nil {
return err
}

2
builtin/plugin/backend_lazyLoad_test.go
View File

@ -59,7 +59,7 @@ func testLazyLoad(t *testing.T, methodWrapper func() error) *PluginBackend {
}
// this is a dummy plugin that hasn't really been loaded yet
orig, err := plugin.NewBackend(ctx, "test-plugin", consts.PluginTypeSecrets, sysView, config, true, false)
orig, err := plugin.NewBackend(ctx, "test-plugin", consts.PluginTypeSecrets, sysView, config, true)
if err != nil {
t.Fatal(err)
}

3
changelog/15671.txt
View File

@ -1,3 +0,0 @@
```release-note:improvement
plugins: Use AutoMTLS for secrets engines and auth methods run as external plugins.
```

4
sdk/helper/pluginutil/env.go
View File

@ -8,10 +8,6 @@ import (
)
var (
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
// setting a TLSProviderFunc for a plugin.
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS"
// PluginMlockEnabled is the ENV name used to pass the configuration for
// enabling mlock
PluginMlockEnabled = "VAULT_PLUGIN_MLOCK_ENABLED"

2
sdk/helper/pluginutil/multiplexing.go
View File

@ -9,8 +9,6 @@ import (
status "google.golang.org/grpc/status"
)
const MultiplexingCtxKey string = "multiplex_id"
type PluginMultiplexingServerImpl struct {
UnimplementedPluginMultiplexingServer

12
sdk/helper/pluginutil/run_config.go
View File

@ -22,7 +22,6 @@ type PluginClientConfig struct {
IsMetadataMode bool
AutoMTLS bool
MLock bool
Wrapper RunnerUtil
}
type runConfig struct {
@ -34,6 +33,8 @@ type runConfig struct {
// Initialized with what's in PluginRunner.Env, but can be added to
env []string
wrapper RunnerUtil
PluginClientConfig
}
@ -42,7 +43,7 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
cmd.Env = append(cmd.Env, rc.env...)
// Add the mlock setting to the ENV of the plugin
if rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled()) {
if rc.MLock || (rc.wrapper != nil && rc.wrapper.MlockEnabled()) {
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
}
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version))
@ -53,9 +54,6 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.IsMetadataMode)
cmd.Env = append(cmd.Env, metadataEnv)
automtlsEnv := fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, rc.AutoMTLS)
cmd.Env = append(cmd.Env, automtlsEnv)
var clientTLSConfig *tls.Config
if !rc.AutoMTLS && !rc.IsMetadataMode {
// Get a CA TLS Certificate
@ -72,7 +70,7 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
// Use CA to sign a server cert and wrap the values in a response wrapped
// token.
wrapToken, err := wrapServerConfig(ctx, rc.Wrapper, certBytes, key)
wrapToken, err := wrapServerConfig(ctx, rc.wrapper, certBytes, key)
if err != nil {
return nil, err
}
@ -122,7 +120,7 @@ func Env(env ...string) RunOpt {
func Runner(wrapper RunnerUtil) RunOpt {
return func(rc *runConfig) {
rc.Wrapper = wrapper
rc.wrapper = wrapper
}
}

12
sdk/helper/pluginutil/run_config_test.go
View File

@ -4,6 +4,7 @@ import (
"context"
"fmt"
"os/exec"
"reflect"
"testing"
"time"
@ -13,7 +14,6 @@ import (
"github.com/hashicorp/go-plugin"
"github.com/hashicorp/vault/sdk/helper/wrapping"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
)
func TestMakeConfig(t *testing.T) {
@ -78,7 +78,6 @@ func TestMakeConfig(t *testing.T) {
"initial=true",
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
},
),
SecureConfig: &plugin.SecureConfig{
@ -144,7 +143,6 @@ func TestMakeConfig(t *testing.T) {
fmt.Sprintf("%s=%t", PluginMlockEnabled, true),
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, "testtoken"),
},
),
@ -207,7 +205,6 @@ func TestMakeConfig(t *testing.T) {
"initial=true",
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
},
),
SecureConfig: &plugin.SecureConfig{
@ -269,7 +266,6 @@ func TestMakeConfig(t *testing.T) {
"initial=true",
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
},
),
SecureConfig: &plugin.SecureConfig{
@ -294,7 +290,7 @@ func TestMakeConfig(t *testing.T) {
Return(test.responseWrapInfo, test.responseWrapInfoErr)
mockWrapper.On("MlockEnabled").
Return(test.mlockEnabled)
test.rc.Wrapper = mockWrapper
test.rc.wrapper = mockWrapper
defer mockWrapper.AssertNumberOfCalls(t, "ResponseWrapData", test.responseWrapInfoTimes)
defer mockWrapper.AssertNumberOfCalls(t, "MlockEnabled", test.mlockEnabledTimes)
@ -322,7 +318,9 @@ func TestMakeConfig(t *testing.T) {
}
config.TLSConfig = nil
require.Equal(t, config, test.expectedConfig)
if !reflect.DeepEqual(config, test.expectedConfig) {
t.Fatalf("Actual config: %#v\nExpected config: %#v", config, test.expectedConfig)
}
})
}
}

2
sdk/helper/pluginutil/runner.go
View File

@ -38,6 +38,8 @@ type PluginClient interface {
plugin.ClientProtocol
}
const MultiplexingCtxKey string = "multiplex_id"
// PluginRunner defines the metadata needed to run a plugin securely with
// go-plugin.
type PluginRunner struct {

20
sdk/plugin/backend.go
View File

@ -20,10 +20,9 @@ var (
// GRPCBackendPlugin is the plugin.Plugin implementation that only supports GRPC
// transport
type GRPCBackendPlugin struct {
Factory logical.Factory
MetadataMode bool
AutoMTLSSupported bool
Logger log.Logger
Factory logical.Factory
MetadataMode bool
Logger log.Logger
// Embeding this will disable the netRPC protocol
plugin.NetRPCUnsupportedPlugin
@ -42,13 +41,12 @@ func (b GRPCBackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server)
func (b *GRPCBackendPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
ret := &backendGRPCPluginClient{
client: pb.NewBackendClient(c),
clientConn: c,
broker: broker,
cleanupCh: make(chan struct{}),
doneCtx: ctx,
// Only run in metadata mode if mode is true and autoMTLS is not supported
metadataMode: b.MetadataMode && !b.AutoMTLSSupported,
client: pb.NewBackendClient(c),
clientConn: c,
broker: broker,
cleanupCh: make(chan struct{}),
doneCtx: ctx,
metadataMode: b.MetadataMode,
}
// Create the value and set the type

58
sdk/plugin/plugin.go
View File

@ -7,6 +7,7 @@ import (
"sync"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
plugin "github.com/hashicorp/go-plugin"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/pluginutil"
@ -34,7 +35,7 @@ func (b *BackendPluginClient) Cleanup(ctx context.Context) {
// external plugins, or a concrete implementation of the backend if it is a builtin backend.
// The backend is returned as a logical.Backend interface. The isMetadataMode param determines whether
// the plugin should run in metadata mode.
func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool, autoMTLS bool) (logical.Backend, error) {
func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool) (logical.Backend, error) {
// Look for plugin in the plugin catalog
pluginRunner, err := sys.LookupPlugin(ctx, pluginName, pluginType)
if err != nil {
@ -58,16 +59,8 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
}
}
} else {
config := pluginutil.PluginClientConfig{
Name: pluginName,
PluginType: pluginType,
Logger: conf.Logger.Named(pluginName),
IsMetadataMode: isMetadataMode,
AutoMTLS: autoMTLS,
Wrapper: sys,
}
// create a backendPluginClient instance
backend, err = NewPluginClient(ctx, pluginRunner, config)
backend, err = NewPluginClient(ctx, sys, pluginRunner, conf.Logger, isMetadataMode)
if err != nil {
return nil, err
}
@ -76,49 +69,34 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
return backend, nil
}
// pluginSet returns the go-plugin PluginSet that we can dispense. This ensures
// that plugins that don't support AutoMTLS are run on the appropriate version.
func pluginSet(autoMTLS, metadataMode bool) map[int]plugin.PluginSet {
if autoMTLS {
return map[int]plugin.PluginSet{
5: {
"backend": &GRPCBackendPlugin{
MetadataMode: false,
AutoMTLSSupported: true,
},
},
}
}
return map[int]plugin.PluginSet{
func NewPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunner *pluginutil.PluginRunner, logger log.Logger, isMetadataMode bool) (logical.Backend, error) {
// pluginMap is the map of plugins we can dispense.
pluginSet := map[int]plugin.PluginSet{
// Version 3 used to supports both protocols. We want to keep it around
// since it's possible old plugins built against this version will still
// work with gRPC. There is currently no difference between version 3
// and version 4.
3: {
"backend": &GRPCBackendPlugin{
MetadataMode: metadataMode,
MetadataMode: isMetadataMode,
},
},
4: {
"backend": &GRPCBackendPlugin{
MetadataMode: metadataMode,
MetadataMode: isMetadataMode,
},
},
}
}
func NewPluginClient(ctx context.Context, pluginRunner *pluginutil.PluginRunner, config pluginutil.PluginClientConfig) (logical.Backend, error) {
ps := pluginSet(config.AutoMTLS, config.IsMetadataMode)
namedLogger := logger.Named(pluginRunner.Name)
client, err := pluginRunner.RunConfig(ctx,
pluginutil.Runner(config.Wrapper),
pluginutil.PluginSets(ps),
pluginutil.HandshakeConfig(handshakeConfig),
pluginutil.Env(),
pluginutil.Logger(config.Logger),
pluginutil.MetadataMode(config.IsMetadataMode),
pluginutil.AutoMTLS(config.AutoMTLS),
)
var client *plugin.Client
var err error
if isMetadataMode {
client, err = pluginRunner.RunMetadataMode(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
} else {
client, err = pluginRunner.Run(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
}
if err != nil {
return nil, err
}
@ -148,9 +126,9 @@ func NewPluginClient(ctx context.Context, pluginRunner *pluginutil.PluginRunner,
}
// Wrap the backend in a tracing middleware
if config.Logger.IsTrace() {
if namedLogger.IsTrace() {
backend = &backendTracingMiddleware{
logger: config.Logger.With("transport", transport),
logger: namedLogger.With("transport", transport),
next: backend,
}
}

10
sdk/plugin/serve.go
View File

@ -37,13 +37,12 @@ func Serve(opts *ServeOpts) error {
})
}
// pluginSets is the map of plugins we can dispense.
// pluginMap is the map of plugins we can dispense.
pluginSets := map[int]plugin.PluginSet{
// Version 3 used to supports both protocols. We want to keep it around
// since it's possible old plugins built against this version will still
// work with gRPC. There is currently no difference between version 3
// and version 4.
// AutoMTLS is not supported by versions lower than 5.
3: {
"backend": &GRPCBackendPlugin{
Factory: opts.BackendFactoryFunc,
@ -56,13 +55,6 @@ func Serve(opts *ServeOpts) error {
Logger: logger,
},
},
5: {
"backend": &GRPCBackendPlugin{
Factory: opts.BackendFactoryFunc,
Logger: logger,
AutoMTLSSupported: true,
},
},
}
err := pluginutil.OptionallyEnableMlock()

948
vault/logical_system_integ_test.go
View File

File diff suppressed because it is too large Load Diff

71
vault/plugin_catalog.go
View File

@ -325,72 +325,39 @@ func (c *PluginCatalog) getPluginTypeFromUnknown(ctx context.Context, logger log
}
merr = multierror.Append(merr, err)
pluginType, err := c.getBackendPluginType(ctx, plugin)
// Attempt to run as backend plugin
client, err := backendplugin.NewPluginClient(ctx, nil, plugin, log.NewNullLogger(), true)
if err == nil {
return pluginType, nil
}
merr = multierror.Append(merr, err)
return consts.PluginTypeUnknown, merr
}
// getBackendPluginType returns the plugin type (secrets/auth) and an error if
// the plugin is not a backend plugin.
func (c *PluginCatalog) getBackendPluginType(ctx context.Context, pluginRunner *pluginutil.PluginRunner) (consts.PluginType, error) {
var client logical.Backend
var merr *multierror.Error
config := pluginutil.PluginClientConfig{
Name: pluginRunner.Name,
Logger: log.NewNullLogger(),
IsMetadataMode: false,
AutoMTLS: true,
}
// Attempt to run as backend V5 plugin
c.logger.Debug("attempting to load backend plugin", "name", pluginRunner.Name)
client, err := backendplugin.NewPluginClient(ctx, pluginRunner, config)
if err != nil {
merr = multierror.Append(merr, err)
c.logger.Debug("failed to dispense v5 backend plugin", "name", pluginRunner.Name, "error", err)
config.AutoMTLS = false
config.IsMetadataMode = true
// attemtp to run as a v4 backend plugin
client, err = backendplugin.NewPluginClient(ctx, pluginRunner, config)
err := client.Setup(ctx, &logical.BackendConfig{})
if err != nil {
c.logger.Debug("failed to dispense v4 backend plugin", "name", pluginRunner.Name, "error", err)
return consts.PluginTypeUnknown, merr.ErrorOrNil()
return consts.PluginTypeUnknown, err
}
c.logger.Debug("successfully dispensed v4 backend plugin", "name", pluginRunner.Name)
}
err = client.Setup(ctx, &logical.BackendConfig{})
if err != nil {
return consts.PluginTypeUnknown, err
}
backendType := client.Type()
client.Cleanup(ctx)
backendType := client.Type()
client.Cleanup(ctx)
switch backendType {
case logical.TypeCredential:
return consts.PluginTypeCredential, nil
case logical.TypeLogical:
return consts.PluginTypeSecrets, nil
switch backendType {
case logical.TypeCredential:
return consts.PluginTypeCredential, nil
case logical.TypeLogical:
return consts.PluginTypeSecrets, nil
}
} else {
merr = multierror.Append(merr, err)
}
if client == nil || client.Type() == logical.TypeUnknown {
c.logger.Warn("unknown plugin type",
"plugin name", pluginRunner.Name,
logger.Warn("unknown plugin type",
"plugin name", plugin.Name,
"error", merr.Error())
} else {
c.logger.Warn("unsupported plugin type",
"plugin name", pluginRunner.Name,
logger.Warn("unsupported plugin type",
"plugin name", plugin.Name,
"plugin type", client.Type().String(),
"error", merr.Error())
}
merr = multierror.Append(merr, fmt.Errorf("failed to load plugin as backend plugin: %w", err))
return consts.PluginTypeUnknown, merr.ErrorOrNil()
return consts.PluginTypeUnknown, nil
}
// isDatabasePlugin returns true if the plugin supports multiplexing. An error