luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Plumbing request context through to expiration manager (#5021) 

* plumbing request context to expiration manager

* moar context

* address feedback

* only using active context for revoke prefix

* using active context for revoke commands

* cancel tidy on active context

* address feedback
This commit is contained in:
Chris Hoffman 2018-08-01 21:39:39 -04:00 committed by GitHub
parent 212b00593d
commit d8b1d19ed6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 196 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
vault/auth.go
View File

@ -189,7 +189,7 @@ func (c *Core) disableCredential(ctx context.Context, path string) error {
if backend != nil {
// Revoke credentials from this path
if err := c.expiration.RevokePrefix(fullPath, true); err != nil {
if err := c.expiration.RevokePrefix(c.activeContext, fullPath, true); err != nil {
return err
}

4
vault/core.go
View File

@ -1082,9 +1082,9 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
if te != nil && te.NumUses == tokenRevocationPending {
// Token needs to be revoked. We do this immediately here because
// we won't have a token store after sealing.
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
if err == nil {
err = c.expiration.Revoke(ctx, leaseID)
err = c.expiration.Revoke(c.activeContext, leaseID)
}
if err != nil {
c.logger.Error("token needed revocation before seal but failed to revoke", "error", err)

164
vault/expiration.go
View File

@ -213,7 +213,7 @@ func (m *ExpirationManager) Tidy() error {
logger.Info("tidying leases", "progress", countLease)
}
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(m.quitContext, leaseID)
if err != nil {
tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf(fmt.Sprintf("failed to load the lease ID %q: {{err}}", leaseID), err))
return
@ -449,7 +449,7 @@ func (m *ExpirationManager) processRestore(leaseID string) error {
}
// Load lease and restore expiration timer
_, err := m.loadEntryInternal(leaseID, true, false)
_, err := m.loadEntryInternal(m.quitContext, leaseID, true, false)
if err != nil {
return err
}
@ -496,11 +496,11 @@ func (m *ExpirationManager) Revoke(ctx context.Context, leaseID string) error {
// LazyRevoke is used to queue revocation for a secret named by the given
// LeaseID. If the lease was not found it returns nil; if the lease was found
// it triggers a return of a 202.
func (m *ExpirationManager) LazyRevoke(leaseID string) error {
func (m *ExpirationManager) LazyRevoke(ctx context.Context, leaseID string) error {
defer metrics.MeasureSince([]string{"expire", "lazy-revoke"}, time.Now())
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return err
}
@ -513,7 +513,7 @@ func (m *ExpirationManager) LazyRevoke(leaseID string) error {
le.ExpireTime = time.Now()
{
m.pendingLock.Lock()
if err := m.persistEntry(le); err != nil {
if err := m.persistEntry(ctx, le); err != nil {
m.pendingLock.Unlock()
return err
}
@ -531,7 +531,7 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
defer metrics.MeasureSince([]string{"expire", "revoke-common"}, time.Now())
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return err
}
@ -543,7 +543,7 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
// Revoke the entry
if !skipToken || le.Auth == nil {
if err := m.revokeEntry(le); err != nil {
if err := m.revokeEntry(ctx, le); err != nil {
if !force {
return err
}
@ -555,13 +555,13 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
}
// Delete the entry
if err := m.deleteEntry(leaseID); err != nil {
if err := m.deleteEntry(ctx, leaseID); err != nil {
return err
}
// Delete the secondary index, but only if it's a leased secret (not auth)
if le.Secret != nil {
if err := m.removeIndexByToken(le.ClientToken, le.LeaseID); err != nil {
if err := m.removeIndexByToken(ctx, le.ClientToken, le.LeaseID); err != nil {
return err
}
}
@ -583,30 +583,30 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
// RevokeForce works similarly to RevokePrefix but continues in the case of a
// revocation error; this is mostly meant for recovery operations
func (m *ExpirationManager) RevokeForce(prefix string) error {
func (m *ExpirationManager) RevokeForce(ctx context.Context, prefix string) error {
defer metrics.MeasureSince([]string{"expire", "revoke-force"}, time.Now())
return m.revokePrefixCommon(prefix, true, true)
return m.revokePrefixCommon(ctx, prefix, true, true)
}
// RevokePrefix is used to revoke all secrets with a given prefix.
// The prefix maps to that of the mount table to make this simpler
// to reason about.
func (m *ExpirationManager) RevokePrefix(prefix string, sync bool) error {
func (m *ExpirationManager) RevokePrefix(ctx context.Context, prefix string, sync bool) error {
defer metrics.MeasureSince([]string{"expire", "revoke-prefix"}, time.Now())
return m.revokePrefixCommon(prefix, false, sync)
return m.revokePrefixCommon(ctx, prefix, false, sync)
}
// RevokeByToken is used to revoke all the secrets issued with a given token.
// This is done by using the secondary index. It also removes the lease entry
// for the token itself. As a result it should *ONLY* ever be called from the
// token store's revokeSalted function.
func (m *ExpirationManager) RevokeByToken(te *logical.TokenEntry) error {
func (m *ExpirationManager) RevokeByToken(ctx context.Context, te *logical.TokenEntry) error {
defer metrics.MeasureSince([]string{"expire", "revoke-by-token"}, time.Now())
// Lookup the leases
existing, err := m.lookupLeasesByToken(te.ID)
existing, err := m.lookupLeasesByToken(ctx, te.ID)
if err != nil {
return errwrap.Wrapf("failed to scan for leases: {{err}}", err)
}
@ -614,7 +614,7 @@ func (m *ExpirationManager) RevokeByToken(te *logical.TokenEntry) error {
// Revoke all the keys
for _, leaseID := range existing {
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return err
}
@ -627,7 +627,7 @@ func (m *ExpirationManager) RevokeByToken(te *logical.TokenEntry) error {
{
m.pendingLock.Lock()
if err := m.persistEntry(le); err != nil {
if err := m.persistEntry(ctx, le); err != nil {
m.pendingLock.Unlock()
return err
}
@ -640,7 +640,7 @@ func (m *ExpirationManager) RevokeByToken(te *logical.TokenEntry) error {
// te.Path should never be empty, but we check just in case
if te.Path != "" {
saltedID, err := m.tokenStore.SaltID(m.quitContext, te.ID)
saltedID, err := m.tokenStore.SaltID(ctx, te.ID)
if err != nil {
return err
}
@ -653,13 +653,13 @@ func (m *ExpirationManager) RevokeByToken(te *logical.TokenEntry) error {
// we're already revoking the token, so we just want to clean up the lease.
// This avoids spurious revocations later in the log when the timer runs
// out, and eases up resource usage.
return m.revokeCommon(m.quitContext, tokenLeaseID, false, true)
return m.revokeCommon(ctx, tokenLeaseID, false, true)
}
return nil
}
func (m *ExpirationManager) revokePrefixCommon(prefix string, force, sync bool) error {
func (m *ExpirationManager) revokePrefixCommon(ctx context.Context, prefix string, force, sync bool) error {
if m.inRestoreMode() {
m.restoreRequestLock.Lock()
defer m.restoreRequestLock.Unlock()
@ -668,22 +668,22 @@ func (m *ExpirationManager) revokePrefixCommon(prefix string, force, sync bool)
// Ensure there is a trailing slash; or, if there is no slash, see if there
// is a matching specific ID
if !strings.HasSuffix(prefix, "/") {
le, err := m.loadEntry(prefix)
le, err := m.loadEntry(ctx, prefix)
if err == nil && le != nil {
if sync {
if err := m.revokeCommon(m.quitContext, prefix, force, false); err != nil {
if err := m.revokeCommon(ctx, prefix, force, false); err != nil {
return errwrap.Wrapf(fmt.Sprintf("failed to revoke %q: {{err}}", prefix), err)
}
return nil
}
return m.LazyRevoke(prefix)
return m.LazyRevoke(ctx, prefix)
}
prefix = prefix + "/"
}
// Accumulate existing leases
sub := m.idView.SubView(prefix)
existing, err := logical.CollectKeys(m.quitContext, sub)
existing, err := logical.CollectKeys(ctx, sub)
if err != nil {
return errwrap.Wrapf("failed to scan for leases: {{err}}", err)
}
@ -693,11 +693,11 @@ func (m *ExpirationManager) revokePrefixCommon(prefix string, force, sync bool)
leaseID := prefix + suffix
switch {
case sync:
if err := m.revokeCommon(m.quitContext, leaseID, force, false); err != nil {
if err := m.revokeCommon(ctx, leaseID, force, false); err != nil {
return errwrap.Wrapf(fmt.Sprintf("failed to revoke %q (%d / %d): {{err}}", leaseID, idx+1, len(existing)), err)
}
default:
if err := m.LazyRevoke(leaseID); err != nil {
if err := m.LazyRevoke(ctx, leaseID); err != nil {
return errwrap.Wrapf(fmt.Sprintf("failed to revoke %q (%d / %d): {{err}}", leaseID, idx+1, len(existing)), err)
}
}
@ -708,11 +708,11 @@ func (m *ExpirationManager) revokePrefixCommon(prefix string, force, sync bool)
// Renew is used to renew a secret using the given leaseID
// and a renew interval. The increment may be ignored.
func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error) {
func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment time.Duration) (*logical.Response, error) {
defer metrics.MeasureSince([]string{"expire", "renew"}, time.Now())
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return nil, err
}
@ -735,7 +735,7 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log
}
// Attempt to renew the entry
resp, err := m.renewEntry(le, increment)
resp, err := m.renewEntry(ctx, le, increment)
if err != nil {
return nil, err
}
@ -771,7 +771,7 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log
{
m.pendingLock.Lock()
if err := m.persistEntry(le); err != nil {
if err := m.persistEntry(ctx, le); err != nil {
m.pendingLock.Unlock()
return nil, err
}
@ -787,19 +787,19 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log
// RenewToken is used to renew a token which does not need to
// invoke a logical backend.
func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string,
func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request, source string, token string,
increment time.Duration) (*logical.Response, error) {
defer metrics.MeasureSince([]string{"expire", "renew-token"}, time.Now())
// Compute the Lease ID
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return nil, err
}
leaseID := path.Join(source, saltedID)
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return nil, err
}
@ -811,7 +811,7 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke
}
// Attempt to renew the auth entry
resp, err := m.renewAuthEntry(req, le, increment)
resp, err := m.renewAuthEntry(ctx, req, le, increment)
if err != nil {
return nil, err
}
@ -852,7 +852,7 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke
{
m.pendingLock.Lock()
if err := m.persistEntry(le); err != nil {
if err := m.persistEntry(ctx, le); err != nil {
m.pendingLock.Unlock()
return nil, err
}
@ -869,7 +869,7 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke
// Register is used to take a request and response with an associated
// lease. The secret gets assigned a LeaseID and the management of
// of lease is assumed by the expiration manager.
func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (id string, retErr error) {
func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request, resp *logical.Response) (id string, retErr error) {
defer metrics.MeasureSince([]string{"expire", "register"}, time.Now())
if req.ClientToken == "" {
@ -907,11 +907,11 @@ func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Respons
retErr = multierror.Append(retErr, errwrap.Wrapf("an additional error was encountered revoking the newly-generated secret: {{err}}", revResp.Error()))
}
if err := m.deleteEntry(leaseID); err != nil {
if err := m.deleteEntry(ctx, leaseID); err != nil {
retErr = multierror.Append(retErr, errwrap.Wrapf("an additional error was encountered deleting any lease associated with the newly-generated secret: {{err}}", err))
}
if err := m.removeIndexByToken(req.ClientToken, leaseID); err != nil {
if err := m.removeIndexByToken(ctx, req.ClientToken, leaseID); err != nil {
retErr = multierror.Append(retErr, errwrap.Wrapf("an additional error was encountered removing lease indexes associated with the newly-generated secret: {{err}}", err))
}
}
@ -928,12 +928,12 @@ func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Respons
}
// Encode the entry
if err := m.persistEntry(&le); err != nil {
if err := m.persistEntry(ctx, &le); err != nil {
return "", err
}
// Maintain secondary index by token
if err := m.createIndexByToken(le.ClientToken, le.LeaseID); err != nil {
if err := m.createIndexByToken(ctx, le.ClientToken, le.LeaseID); err != nil {
return "", err
}
@ -947,7 +947,7 @@ func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Respons
// RegisterAuth is used to take an Auth response with an associated lease.
// The token does not get a LeaseID, but the lease management is handled by
// the expiration manager.
func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error {
func (m *ExpirationManager) RegisterAuth(ctx context.Context, source string, auth *logical.Auth) error {
defer metrics.MeasureSince([]string{"expire", "register-auth"}, time.Now())
if auth.ClientToken == "" {
@ -958,7 +958,7 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro
return consts.ErrPathContainsParentReferences
}
saltedID, err := m.tokenStore.SaltID(m.quitContext, auth.ClientToken)
saltedID, err := m.tokenStore.SaltID(ctx, auth.ClientToken)
if err != nil {
return err
}
@ -974,7 +974,7 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro
}
// Encode the entry
if err := m.persistEntry(&le); err != nil {
if err := m.persistEntry(ctx, &le); err != nil {
return err
}
@ -986,22 +986,22 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro
// FetchLeaseTimesByToken is a helper function to use token values to compute
// the leaseID, rather than pushing that logic back into the token store.
func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error) {
func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, source, token string) (*leaseEntry, error) {
defer metrics.MeasureSince([]string{"expire", "fetch-lease-times-by-token"}, time.Now())
// Compute the Lease ID
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return nil, err
}
leaseID := path.Join(source, saltedID)
return m.FetchLeaseTimes(leaseID)
return m.FetchLeaseTimes(ctx, leaseID)
}
// FetchLeaseTimes is used to fetch the issue time, expiration time, and last
// renewed time of a lease entry. It returns a leaseEntry itself, but with only
// those values copied over.
func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error) {
func (m *ExpirationManager) FetchLeaseTimes(ctx context.Context, leaseID string) (*leaseEntry, error) {
defer metrics.MeasureSince([]string{"expire", "fetch-lease-times"}, time.Now())
m.pendingLock.RLock()
@ -1013,7 +1013,7 @@ func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)
}
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return nil, err
}
@ -1131,11 +1131,11 @@ func (m *ExpirationManager) expireID(leaseID string) {
}
// revokeEntry is used to attempt revocation of an internal entry
func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
func (m *ExpirationManager) revokeEntry(ctx context.Context, le *leaseEntry) error {
// Revocation of login tokens is special since we can by-pass the
// backend and directly interact with the token store
if le.Auth != nil {
if err := m.tokenStore.revokeTree(m.quitContext, le.ClientToken); err != nil {
if err := m.tokenStore.revokeTree(ctx, le.ClientToken); err != nil {
return errwrap.Wrapf("failed to revoke token: {{err}}", err)
}
@ -1151,13 +1151,13 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
}
// renewEntry is used to attempt renew of an internal entry
func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
func (m *ExpirationManager) renewEntry(ctx context.Context, le *leaseEntry, increment time.Duration) (*logical.Response, error) {
secret := *le.Secret
secret.IssueTime = le.IssueTime
secret.Increment = increment
secret.LeaseID = ""
req := logical.RenewRequest(le.Path, &secret, le.Data)
resp, err := m.router.Route(m.quitContext, req)
resp, err := m.router.Route(ctx, req)
if err != nil || (resp != nil && resp.IsError()) {
return nil, errwrap.Wrapf(fmt.Sprintf("failed to renew entry: resp: %#v err: {{err}}", resp), err)
}
@ -1166,7 +1166,7 @@ func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration)
// renewAuthEntry is used to attempt renew of an auth entry. Only the token
// store should get the actual token ID intact.
func (m *ExpirationManager) renewAuthEntry(req *logical.Request, le *leaseEntry, increment time.Duration) (*logical.Response, error) {
func (m *ExpirationManager) renewAuthEntry(ctx context.Context, req *logical.Request, le *leaseEntry, increment time.Duration) (*logical.Response, error) {
auth := *le.Auth
auth.IssueTime = le.IssueTime
auth.Increment = increment
@ -1178,7 +1178,7 @@ func (m *ExpirationManager) renewAuthEntry(req *logical.Request, le *leaseEntry,
authReq := logical.RenewAuthRequest(le.Path, &auth, nil)
authReq.Connection = req.Connection
resp, err := m.router.Route(m.quitContext, authReq)
resp, err := m.router.Route(ctx, authReq)
if err != nil {
return nil, errwrap.Wrapf("failed to renew entry: {{err}}", err)
}
@ -1186,7 +1186,7 @@ func (m *ExpirationManager) renewAuthEntry(req *logical.Request, le *leaseEntry,
}
// loadEntry is used to read a lease entry
func (m *ExpirationManager) loadEntry(leaseID string) (*leaseEntry, error) {
func (m *ExpirationManager) loadEntry(ctx context.Context, leaseID string) (*leaseEntry, error) {
// Take out the lease locks after we ensure we are in restore mode
restoreMode := m.inRestoreMode()
if restoreMode {
@ -1199,13 +1199,13 @@ func (m *ExpirationManager) loadEntry(leaseID string) (*leaseEntry, error) {
defer m.unlockLease(leaseID)
}
}
return m.loadEntryInternal(leaseID, restoreMode, true)
return m.loadEntryInternal(ctx, leaseID, restoreMode, true)
}
// loadEntryInternal is used when you need to load an entry but also need to
// control the lifecycle of the restoreLock
func (m *ExpirationManager) loadEntryInternal(leaseID string, restoreMode bool, checkRestored bool) (*leaseEntry, error) {
out, err := m.idView.Get(m.quitContext, leaseID)
func (m *ExpirationManager) loadEntryInternal(ctx context.Context, leaseID string, restoreMode bool, checkRestored bool) (*leaseEntry, error) {
out, err := m.idView.Get(ctx, leaseID)
if err != nil {
return nil, errwrap.Wrapf("failed to read lease entry: {{err}}", err)
}
@ -1238,7 +1238,7 @@ func (m *ExpirationManager) loadEntryInternal(leaseID string, restoreMode bool,
}
// persistEntry is used to persist a lease entry
func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
func (m *ExpirationManager) persistEntry(ctx context.Context, le *leaseEntry) error {
// Encode the entry
buf, err := le.encode()
if err != nil {
@ -1253,28 +1253,28 @@ func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
if le.Auth != nil && len(le.Auth.Policies) == 1 && le.Auth.Policies[0] == "root" {
ent.SealWrap = true
}
if err := m.idView.Put(m.quitContext, &ent); err != nil {
if err := m.idView.Put(ctx, &ent); err != nil {
return errwrap.Wrapf("failed to persist lease entry: {{err}}", err)
}
return nil
}
// deleteEntry is used to delete a lease entry
func (m *ExpirationManager) deleteEntry(leaseID string) error {
if err := m.idView.Delete(m.quitContext, leaseID); err != nil {
func (m *ExpirationManager) deleteEntry(ctx context.Context, leaseID string) error {
if err := m.idView.Delete(ctx, leaseID); err != nil {
return errwrap.Wrapf("failed to delete lease entry: {{err}}", err)
}
return nil
}
// createIndexByToken creates a secondary index from the token to a lease entry
func (m *ExpirationManager) createIndexByToken(token, leaseID string) error {
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
func (m *ExpirationManager) createIndexByToken(ctx context.Context, token, leaseID string) error {
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return err
}
leaseSaltedID, err := m.tokenStore.SaltID(m.quitContext, leaseID)
leaseSaltedID, err := m.tokenStore.SaltID(ctx, leaseID)
if err != nil {
return err
}
@ -1283,26 +1283,26 @@ func (m *ExpirationManager) createIndexByToken(token, leaseID string) error {
Key: saltedID + "/" + leaseSaltedID,
Value: []byte(leaseID),
}
if err := m.tokenView.Put(m.quitContext, &ent); err != nil {
if err := m.tokenView.Put(ctx, &ent); err != nil {
return errwrap.Wrapf("failed to persist lease index entry: {{err}}", err)
}
return nil
}
// indexByToken looks up the secondary index from the token to a lease entry
func (m *ExpirationManager) indexByToken(token, leaseID string) (*logical.StorageEntry, error) {
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
func (m *ExpirationManager) indexByToken(ctx context.Context, token, leaseID string) (*logical.StorageEntry, error) {
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return nil, err
}
leaseSaltedID, err := m.tokenStore.SaltID(m.quitContext, leaseID)
leaseSaltedID, err := m.tokenStore.SaltID(ctx, leaseID)
if err != nil {
return nil, err
}
key := saltedID + "/" + leaseSaltedID
entry, err := m.tokenView.Get(m.quitContext, key)
entry, err := m.tokenView.Get(ctx, key)
if err != nil {
return nil, fmt.Errorf("failed to look up secondary index entry")
}
@ -1310,19 +1310,19 @@ func (m *ExpirationManager) indexByToken(token, leaseID string) (*logical.Storag
}
// removeIndexByToken removes the secondary index from the token to a lease entry
func (m *ExpirationManager) removeIndexByToken(token, leaseID string) error {
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
func (m *ExpirationManager) removeIndexByToken(ctx context.Context, token, leaseID string) error {
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return err
}
leaseSaltedID, err := m.tokenStore.SaltID(m.quitContext, leaseID)
leaseSaltedID, err := m.tokenStore.SaltID(ctx, leaseID)
if err != nil {
return err
}
key := saltedID + "/" + leaseSaltedID
if err := m.tokenView.Delete(m.quitContext, key); err != nil {
if err := m.tokenView.Delete(ctx, key); err != nil {
return errwrap.Wrapf("failed to delete lease index entry: {{err}}", err)
}
return nil
@ -1331,16 +1331,16 @@ func (m *ExpirationManager) removeIndexByToken(token, leaseID string) error {
// CreateOrFetchRevocationLeaseByToken is used to create or fetch the matching
// leaseID for a particular token. The lease is set to expire immediately after
// it's created.
func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(te *logical.TokenEntry) (string, error) {
func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(ctx context.Context, te *logical.TokenEntry) (string, error) {
// Fetch the saltedID of the token and construct the leaseID
saltedID, err := m.tokenStore.SaltID(m.quitContext, te.ID)
saltedID, err := m.tokenStore.SaltID(ctx, te.ID)
if err != nil {
return "", err
}
leaseID := path.Join(te.Path, saltedID)
// Load the entry
le, err := m.loadEntry(leaseID)
le, err := m.loadEntry(ctx, leaseID)
if err != nil {
return "", err
}
@ -1370,7 +1370,7 @@ func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(te *logical.Toke
}
// Encode the entry
if err := m.persistEntry(le); err != nil {
if err := m.persistEntry(ctx, le); err != nil {
return "", err
}
}
@ -1379,15 +1379,15 @@ func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(te *logical.Toke
}
// lookupLeasesByToken is used to lookup all the leaseID's via the tokenID
func (m *ExpirationManager) lookupLeasesByToken(token string) ([]string, error) {
saltedID, err := m.tokenStore.SaltID(m.quitContext, token)
func (m *ExpirationManager) lookupLeasesByToken(ctx context.Context, token string) ([]string, error) {
saltedID, err := m.tokenStore.SaltID(ctx, token)
if err != nil {
return nil, err
}
// Scan via the index for sub-leases
prefix := saltedID + "/"
subKeys, err := m.tokenView.List(m.quitContext, prefix)
subKeys, err := m.tokenView.List(ctx, prefix)
if err != nil {
return nil, errwrap.Wrapf("failed to list leases: {{err}}", err)
}
@ -1395,7 +1395,7 @@ func (m *ExpirationManager) lookupLeasesByToken(token string) ([]string, error)
// Read each index entry
leaseIDs := make([]string, 0, len(subKeys))
for _, sub := range subKeys {
out, err := m.tokenView.Get(m.quitContext, prefix+sub)
out, err := m.tokenView.Get(ctx, prefix+sub)
if err != nil {
return nil, errwrap.Wrapf("failed to read lease index: {{err}}", err)
}

102
vault/expiration_test.go
View File

@ -79,7 +79,7 @@ func TestExpiration_Tidy(t *testing.T) {
}
// Persist the invalid lease entry
if err = exp.persistEntry(le); err != nil {
if err = exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
@ -114,7 +114,7 @@ func TestExpiration_Tidy(t *testing.T) {
le.ClientToken = "invalidtoken"
// Persist the invalid lease entry
if err = exp.persistEntry(le); err != nil {
if err = exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
@ -146,12 +146,12 @@ func TestExpiration_Tidy(t *testing.T) {
}
// Attach an invalid token with 2 leases
if err = exp.persistEntry(le); err != nil {
if err = exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
le.LeaseID = "another/invalid/lease"
if err = exp.persistEntry(le); err != nil {
if err = exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
@ -187,7 +187,7 @@ func TestExpiration_Tidy(t *testing.T) {
"test_key": "test_value",
},
}
_, err := exp.Register(req, resp)
_, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -240,7 +240,7 @@ func TestExpiration_Tidy(t *testing.T) {
le.ClientToken = root.ID
// Attach a valid token with the leases
if err = exp.persistEntry(le); err != nil {
if err = exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
@ -345,7 +345,7 @@ func benchmarkExpirationBackend(b *testing.B, physicalBackend physical.Backend,
"secret_key": "abcd",
},
}
_, err = exp.Register(req, resp)
_, err = exp.Register(context.Background(), req, resp)
if err != nil {
b.Fatalf("err: %v", err)
}
@ -404,7 +404,7 @@ func TestExpiration_Restore(t *testing.T) {
"secret_key": "abcd",
},
}
_, err := exp.Register(req, resp)
_, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -461,7 +461,7 @@ func TestExpiration_Register(t *testing.T) {
},
}
id, err := exp.Register(req, resp)
id, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -489,12 +489,12 @@ func TestExpiration_RegisterAuth(t *testing.T) {
},
}
err = exp.RegisterAuth("auth/github/login", auth)
err = exp.RegisterAuth(context.Background(), "auth/github/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
err = exp.RegisterAuth("auth/github/../login", auth)
err = exp.RegisterAuth(context.Background(), "auth/github/../login", auth)
if err == nil {
t.Fatal("expected error")
}
@ -511,13 +511,13 @@ func TestExpiration_RegisterAuth_NoLease(t *testing.T) {
ClientToken: root.ID,
}
err = exp.RegisterAuth("auth/github/login", auth)
err = exp.RegisterAuth(context.Background(), "auth/github/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Should not be able to renew, no expiration
resp, err := exp.RenewToken(&logical.Request{}, "auth/github/login", root.ID, 0)
resp, err := exp.RenewToken(context.Background(), &logical.Request{}, "auth/github/login", root.ID, 0)
if err != nil && (err != logical.ErrInvalidRequest || (resp != nil && resp.IsError() && resp.Error().Error() != "lease not found or lease is not renewable")) {
t.Fatalf("bad: err:%v resp:%#v", err, resp)
}
@ -569,7 +569,7 @@ func TestExpiration_Revoke(t *testing.T) {
},
}
id, err := exp.Register(req, resp)
id, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -615,7 +615,7 @@ func TestExpiration_RevokeOnExpire(t *testing.T) {
},
}
_, err = exp.Register(req, resp)
_, err = exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -677,14 +677,14 @@ func TestExpiration_RevokePrefix(t *testing.T) {
"secret_key": "abcd",
},
}
_, err := exp.Register(req, resp)
_, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
}
// Should nuke all the keys
if err := exp.RevokePrefix("prod/aws/", true); err != nil {
if err := exp.RevokePrefix(context.Background(), "prod/aws/", true); err != nil {
t.Fatalf("err: %v", err)
}
@ -745,7 +745,7 @@ func TestExpiration_RevokeByToken(t *testing.T) {
"secret_key": "abcd",
},
}
_, err := exp.Register(req, resp)
_, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -755,7 +755,7 @@ func TestExpiration_RevokeByToken(t *testing.T) {
te := &logical.TokenEntry{
ID: "foobarbaz",
}
if err := exp.RevokeByToken(te); err != nil {
if err := exp.RevokeByToken(context.Background(), te); err != nil {
t.Fatalf("err: %v", err)
}
@ -832,7 +832,7 @@ func TestExpiration_RevokeByToken_Blocking(t *testing.T) {
"secret_key": "abcd",
},
}
_, err := exp.Register(req, resp)
_, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -842,7 +842,7 @@ func TestExpiration_RevokeByToken_Blocking(t *testing.T) {
te := &logical.TokenEntry{
ID: "foobarbaz",
}
if err := exp.RevokeByToken(te); err != nil {
if err := exp.RevokeByToken(context.Background(), te); err != nil {
t.Fatalf("err: %v", err)
}
@ -897,13 +897,13 @@ func TestExpiration_RenewToken(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/login", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Renew the token
out, err := exp.RenewToken(&logical.Request{}, "auth/token/login", root.ID, 0)
out, err := exp.RenewToken(context.Background(), &logical.Request{}, "auth/token/login", root.ID, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -935,13 +935,13 @@ func TestExpiration_RenewToken_period(t *testing.T) {
},
Period: time.Minute,
}
err := exp.RegisterAuth("auth/token/login", auth)
err := exp.RegisterAuth(context.Background(), "auth/token/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Renew the token
out, err := exp.RenewToken(&logical.Request{}, "auth/token/login", root.ID, 0)
out, err := exp.RenewToken(context.Background(), &logical.Request{}, "auth/token/login", root.ID, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -998,14 +998,14 @@ func TestExpiration_RenewToken_period_backend(t *testing.T) {
Period: 5 * time.Second,
}
err = exp.RegisterAuth("auth/foo/login", auth)
err = exp.RegisterAuth(context.Background(), "auth/foo/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Wait 3 seconds
time.Sleep(3 * time.Second)
resp, err := exp.RenewToken(&logical.Request{}, "auth/foo/login", root.ID, 0)
resp, err := exp.RenewToken(context.Background(), &logical.Request{}, "auth/foo/login", root.ID, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1018,7 +1018,7 @@ func TestExpiration_RenewToken_period_backend(t *testing.T) {
// Wait another 3 seconds. If period works correctly, this should not fail
time.Sleep(3 * time.Second)
resp, err = exp.RenewToken(&logical.Request{}, "auth/foo/login", root.ID, 0)
resp, err = exp.RenewToken(context.Background(), &logical.Request{}, "auth/foo/login", root.ID, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1045,13 +1045,13 @@ func TestExpiration_RenewToken_NotRenewable(t *testing.T) {
Renewable: false,
},
}
err = exp.RegisterAuth("auth/github/login", auth)
err = exp.RegisterAuth(context.Background(), "auth/github/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Attempt to renew the token
resp, err := exp.RenewToken(&logical.Request{}, "auth/github/login", root.ID, 0)
resp, err := exp.RenewToken(context.Background(), &logical.Request{}, "auth/github/login", root.ID, 0)
if err != nil && (err != logical.ErrInvalidRequest || (resp != nil && resp.IsError() && resp.Error().Error() != "lease is not renewable")) {
t.Fatalf("bad: err:%v resp:%#v", err, resp)
}
@ -1093,7 +1093,7 @@ func TestExpiration_Renew(t *testing.T) {
},
}
id, err := exp.Register(req, resp)
id, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1110,7 +1110,7 @@ func TestExpiration_Renew(t *testing.T) {
},
}
out, err := exp.Renew(id, 0)
out, err := exp.Renew(context.Background(), id, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1163,12 +1163,12 @@ func TestExpiration_Renew_NotRenewable(t *testing.T) {
},
}
id, err := exp.Register(req, resp)
id, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
_, err = exp.Renew(id, 0)
_, err = exp.Renew(context.Background(), id, 0)
if err.Error() != "lease is not renewable" {
t.Fatalf("err: %v", err)
}
@ -1213,7 +1213,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
},
}
id, err := exp.Register(req, resp)
id, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1230,7 +1230,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
},
}
_, err = exp.Renew(id, 0)
_, err = exp.Renew(context.Background(), id, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1286,7 +1286,7 @@ func TestExpiration_revokeEntry(t *testing.T) {
ExpireTime: time.Now(),
}
err = exp.revokeEntry(le)
err = exp.revokeEntry(context.Background(), le)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1337,15 +1337,15 @@ func TestExpiration_revokeEntry_token(t *testing.T) {
ExpireTime: time.Now(),
}
if err := exp.persistEntry(le); err != nil {
if err := exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("error persisting entry: %v", err)
}
if err := exp.createIndexByToken(le.ClientToken, le.LeaseID); err != nil {
if err := exp.createIndexByToken(context.Background(), le.ClientToken, le.LeaseID); err != nil {
t.Fatalf("error creating secondary index: %v", err)
}
exp.updatePending(le, le.Secret.LeaseTotal())
indexEntry, err := exp.indexByToken(le.ClientToken, le.LeaseID)
indexEntry, err := exp.indexByToken(context.Background(), le.ClientToken, le.LeaseID)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1353,7 +1353,7 @@ func TestExpiration_revokeEntry_token(t *testing.T) {
t.Fatalf("err: should have found a secondary index entry")
}
err = exp.revokeEntry(le)
err = exp.revokeEntry(context.Background(), le)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1368,7 +1368,7 @@ func TestExpiration_revokeEntry_token(t *testing.T) {
t.Fatalf("bad: %v", out)
}
indexEntry, err = exp.indexByToken(le.ClientToken, le.LeaseID)
indexEntry, err = exp.indexByToken(context.Background(), le.ClientToken, le.LeaseID)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1419,7 +1419,7 @@ func TestExpiration_renewEntry(t *testing.T) {
ExpireTime: time.Now(),
}
resp, err := exp.renewEntry(le, 0)
resp, err := exp.renewEntry(context.Background(), le, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1484,12 +1484,12 @@ func TestExpiration_revokeEntry_rejected(t *testing.T) {
ExpireTime: time.Now().Add(time.Minute),
}
err = exp.persistEntry(le)
err = exp.persistEntry(context.Background(), le)
if err != nil {
t.Fatal(err)
}
err = exp.LazyRevoke(le.LeaseID)
err = exp.LazyRevoke(context.Background(), le.LeaseID)
if err != nil {
t.Fatal(err)
}
@ -1522,7 +1522,7 @@ func TestExpiration_revokeEntry_rejected(t *testing.T) {
// Now let the revocation actually process
time.Sleep(1 * time.Second)
le, err = exp.FetchLeaseTimes(le.LeaseID)
le, err = exp.FetchLeaseTimes(context.Background(), le.LeaseID)
if err != nil {
t.Fatal(err)
}
@ -1571,7 +1571,7 @@ func TestExpiration_renewAuthEntry(t *testing.T) {
ExpireTime: time.Now().Add(time.Minute),
}
resp, err := exp.renewAuthEntry(&logical.Request{}, le, 0)
resp, err := exp.renewAuthEntry(context.Background(), &logical.Request{}, le, 0)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1613,11 +1613,11 @@ func TestExpiration_PersistLoadDelete(t *testing.T) {
ExpireTime: lastTime,
LastRenewalTime: lastTime,
}
if err := exp.persistEntry(le); err != nil {
if err := exp.persistEntry(context.Background(), le); err != nil {
t.Fatalf("err: %v", err)
}
out, err := exp.loadEntry("foo/bar/1234")
out, err := exp.loadEntry(context.Background(), "foo/bar/1234")
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1633,12 +1633,12 @@ func TestExpiration_PersistLoadDelete(t *testing.T) {
t.Fatalf("bad: expected:\n%#v\nactual:\n%#v", le, out)
}
err = exp.deleteEntry("foo/bar/1234")
err = exp.deleteEntry(context.Background(), "foo/bar/1234")
if err != nil {
t.Fatalf("err: %v", err)
}
out, err = exp.loadEntry("foo/bar/1234")
out, err = exp.loadEntry(context.Background(), "foo/bar/1234")
if err != nil {
t.Fatalf("err: %v", err)
}

4
vault/ha.go
View File

@ -245,9 +245,9 @@ func (c *Core) StepDown(httpCtx context.Context, req *logical.Request) (retErr e
if te != nil && te.NumUses == tokenRevocationPending {
// Token needs to be revoked. We do this immediately here because
// we won't have a token store after sealing.
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
if err == nil {
err = c.expiration.Revoke(ctx, leaseID)
err = c.expiration.Revoke(c.activeContext, leaseID)
}
if err != nil {
c.logger.Error("token needed revocation before step-down but failed to revoke", "error", err)

18
vault/logical_system.go
View File

@ -2235,7 +2235,7 @@ func (b *SystemBackend) handleLeaseLookup(ctx context.Context, req *logical.Requ
logical.ErrInvalidRequest
}
leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID)
leaseTimes, err := b.Core.expiration.FetchLeaseTimes(ctx, leaseID)
if err != nil {
b.Backend.Logger().Error("error retrieving lease", "lease_id", leaseID, "error", err)
return handleError(err)
@ -2297,7 +2297,7 @@ func (b *SystemBackend) handleRenew(ctx context.Context, req *logical.Request, d
increment := time.Duration(incrementRaw) * time.Second
// Invoke the expiration manager directly
resp, err := b.Core.expiration.Renew(leaseID, increment)
resp, err := b.Core.expiration.Renew(ctx, leaseID, increment)
if err != nil {
b.Backend.Logger().Error("lease renewal failed", "lease_id", leaseID, "error", err)
return handleErrorNoReadOnlyForward(err)
@ -2319,7 +2319,7 @@ func (b *SystemBackend) handleRevoke(ctx context.Context, req *logical.Request,
if data.Get("sync").(bool) {
// Invoke the expiration manager directly
if err := b.Core.expiration.Revoke(ctx, leaseID); err != nil {
if err := b.Core.expiration.Revoke(b.Core.activeContext, leaseID); err != nil {
b.Backend.Logger().Error("lease revocation failed", "lease_id", leaseID, "error", err)
return handleErrorNoReadOnlyForward(err)
}
@ -2327,7 +2327,7 @@ func (b *SystemBackend) handleRevoke(ctx context.Context, req *logical.Request,
return nil, nil
}
if err := b.Core.expiration.LazyRevoke(leaseID); err != nil {
if err := b.Core.expiration.LazyRevoke(b.Core.activeContext, leaseID); err != nil {
b.Backend.Logger().Error("lease revocation failed", "lease_id", leaseID, "error", err)
return handleErrorNoReadOnlyForward(err)
}
@ -2337,16 +2337,16 @@ func (b *SystemBackend) handleRevoke(ctx context.Context, req *logical.Request,
// handleRevokePrefix is used to revoke a prefix with many LeaseIDs
func (b *SystemBackend) handleRevokePrefix(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.handleRevokePrefixCommon(req, data, false, data.Get("sync").(bool))
return b.handleRevokePrefixCommon(ctx, req, data, false, data.Get("sync").(bool))
}
// handleRevokeForce is used to revoke a prefix with many LeaseIDs, ignoring errors
func (b *SystemBackend) handleRevokeForce(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.handleRevokePrefixCommon(req, data, true, true)
return b.handleRevokePrefixCommon(ctx, req, data, true, true)
}
// handleRevokePrefixCommon is used to revoke a prefix with many LeaseIDs
func (b *SystemBackend) handleRevokePrefixCommon(
func (b *SystemBackend) handleRevokePrefixCommon(ctx context.Context,
req *logical.Request, data *framework.FieldData, force, sync bool) (*logical.Response, error) {
// Get all the options
prefix := data.Get("prefix").(string)
@ -2354,9 +2354,9 @@ func (b *SystemBackend) handleRevokePrefixCommon(
// Invoke the expiration manager directly
var err error
if force {
err = b.Core.expiration.RevokeForce(prefix)
err = b.Core.expiration.RevokeForce(b.Core.activeContext, prefix)
} else {
err = b.Core.expiration.RevokePrefix(prefix, sync)
err = b.Core.expiration.RevokePrefix(b.Core.activeContext, prefix, sync)
}
if err != nil {
b.Backend.Logger().Error("revoke prefix failed", "prefix", prefix, "error", err)

4
vault/logical_system_test.go
View File

@ -1305,7 +1305,7 @@ func TestSystemBackend_revokePrefixAuth_newUrl(t *testing.T) {
TTL: time.Hour,
},
}
err = exp.RegisterAuth(te.Path, auth)
err = exp.RegisterAuth(context.Background(), te.Path, auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1368,7 +1368,7 @@ func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) {
TTL: time.Hour,
},
}
err = exp.RegisterAuth(te.Path, auth)
err = exp.RegisterAuth(context.Background(), te.Path, auth)
if err != nil {
t.Fatalf("err: %v", err)
}

4
vault/mount.go
View File

@ -408,7 +408,7 @@ func (c *Core) unmountInternal(ctx context.Context, path string) error {
}
// Revoke all the dynamic keys
if err := c.expiration.RevokePrefix(path, true); err != nil {
if err := c.expiration.RevokePrefix(c.activeContext, path, true); err != nil {
return err
}
@ -555,7 +555,7 @@ func (c *Core) remount(ctx context.Context, src, dst string) error {
}
// Revoke all the dynamic keys
if err := c.expiration.RevokePrefix(src, true); err != nil {
if err := c.expiration.RevokePrefix(c.activeContext, src, true); err != nil {
return err
}

12
vault/request_handling.go
View File

@ -32,7 +32,7 @@ var (
DefaultMaxRequestDuration = 90 * time.Second
)
// HanlderProperties is used to seed configuration into a vaulthttp.Handler.
// HandlerProperties is used to seed configuration into a vaulthttp.Handler.
// It's in this package to avoid a circular dependency
type HandlerProperties struct {
Core *Core
@ -443,9 +443,9 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
// valid request (this is the token's final use). We pass the ID in
// directly just to be safe in case something else modifies te later.
defer func(id string) {
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(c.activeContext, te)
if err == nil {
err = c.expiration.Revoke(ctx, leaseID)
err = c.expiration.LazyRevoke(ctx, leaseID)
}
if err != nil {
c.logger.Error("failed to revoke token", "error", err)
@ -611,7 +611,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
}
resp.Secret.TTL = ttl
leaseID, err := c.expiration.Register(req, resp)
leaseID, err := c.expiration.Register(ctx, req, resp)
if err != nil {
c.logger.Error("failed to register lease", "request_path", req.Path, "error", err)
retErr = multierror.Append(retErr, ErrInternalError)
@ -654,7 +654,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
}
resp.Auth.TokenPolicies = policyutil.SanitizePolicies(resp.Auth.Policies, policyutil.DoNotAddDefaultPolicy)
if err := c.expiration.RegisterAuth(resp.Auth.CreationPath, resp.Auth); err != nil {
if err := c.expiration.RegisterAuth(ctx, resp.Auth.CreationPath, resp.Auth); err != nil {
c.tokenStore.revokeOrphan(ctx, te.ID)
c.logger.Error("failed to register token lease", "request_path", req.Path, "error", err)
retErr = multierror.Append(retErr, ErrInternalError)
@ -880,7 +880,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
auth.TTL = te.TTL
// Register with the expiration manager
if err := c.expiration.RegisterAuth(te.Path, auth); err != nil {
if err := c.expiration.RegisterAuth(ctx, te.Path, auth); err != nil {
c.tokenStore.revokeOrphan(ctx, te.ID)
c.logger.Error("failed to register token lease", "request_path", req.Path, "error", err)
return nil, auth, ErrInternalError

31
vault/token_store.go
View File

@ -136,6 +136,8 @@ type TokenStore struct {
tidyLock *uint32
identityPoliciesDeriverFunc func(string) (*identity.Entity, []string, error)
quitContext context.Context
}
// NewTokenStore is used to construct a token store that is
@ -154,6 +156,7 @@ func NewTokenStore(ctx context.Context, logger log.Logger, c *Core, config *logi
saltLock: sync.RWMutex{},
identityPoliciesDeriverFunc: c.fetchEntityAndDerivedPolicies,
tidyLock: new(uint32),
quitContext: c.activeContext,
}
if c.policyStore != nil {
@ -976,7 +979,7 @@ func (ts *TokenStore) lookupSalted(ctx context.Context, saltedID string, tainted
if ts.expiration == nil {
return nil, errors.New("expiration manager is nil on tokenstore")
}
le, err := ts.expiration.FetchLeaseTimesByToken(entry.Path, entry.ID)
le, err := ts.expiration.FetchLeaseTimesByToken(ctx, entry.Path, entry.ID)
if err != nil {
return nil, errwrap.Wrapf("failed to fetch lease times: {{err}}", err)
}
@ -986,12 +989,12 @@ func (ts *TokenStore) lookupSalted(ctx context.Context, saltedID string, tainted
switch {
// It's any kind of expiring token with no lease, immediately delete it
case le == nil:
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(entry)
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(ctx, entry)
if err != nil {
return nil, err
}
err = ts.expiration.Revoke(ctx, leaseID)
err = ts.expiration.Revoke(ts.quitContext, leaseID)
if err != nil {
return nil, err
}
@ -1096,7 +1099,7 @@ func (ts *TokenStore) revokeSalted(ctx context.Context, saltedID string, skipOrp
// Revoke all secrets under this token. This should go first as it's a
// security-sensitive item.
if err := ts.expiration.RevokeByToken(entry); err != nil {
if err := ts.expiration.RevokeByToken(ts.quitContext, entry); err != nil {
return err
}
@ -1303,7 +1306,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
defer atomic.StoreUint32(ts.tidyLock, 0)
// Don't cancel when the original client request goes away
ctx = context.Background()
ctx = ts.quitContext
logger := ts.logger.Named("tidy")
@ -1468,7 +1471,7 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
// Attempt to revoke the token. This will also revoke
// the leases associated with the token.
err := ts.expiration.RevokeByToken(tokenEntry)
err := ts.expiration.RevokeByToken(ctx, tokenEntry)
if err != nil {
tidyErrors = multierror.Append(tidyErrors, errwrap.Wrapf("failed to revoke leases of expired token: {{err}}", err))
continue
@ -1594,12 +1597,12 @@ func (ts *TokenStore) handleUpdateRevokeAccessor(ctx context.Context, req *logic
return logical.ErrorResponse("token not found"), logical.ErrInvalidRequest
}
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(ctx, te)
if err != nil {
return nil, err
}
err = ts.expiration.Revoke(ctx, leaseID)
err = ts.expiration.Revoke(ts.quitContext, leaseID)
if err != nil {
return nil, err
}
@ -2049,12 +2052,12 @@ func (ts *TokenStore) handleRevokeSelf(ctx context.Context, req *logical.Request
return logical.ErrorResponse("token not found"), logical.ErrInvalidRequest
}
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(ctx, te)
if err != nil {
return nil, err
}
err = ts.expiration.Revoke(ctx, leaseID)
err = ts.expiration.Revoke(ts.quitContext, leaseID)
if err != nil {
return nil, err
}
@ -2085,12 +2088,12 @@ func (ts *TokenStore) handleRevokeTree(ctx context.Context, req *logical.Request
return logical.ErrorResponse("token not found"), logical.ErrInvalidRequest
}
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(te)
leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(ctx, te)
if err != nil {
return nil, err
}
err = ts.expiration.Revoke(ctx, leaseID)
err = ts.expiration.Revoke(ts.quitContext, leaseID)
if err != nil {
return nil, err
}
@ -2228,7 +2231,7 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
}
// Fetch the last renewal time
leaseTimes, err := ts.expiration.FetchLeaseTimesByToken(out.Path, out.ID)
leaseTimes, err := ts.expiration.FetchLeaseTimesByToken(ctx, out.Path, out.ID)
if err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
@ -2297,7 +2300,7 @@ func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, dat
}
// Renew the token and its children
resp, err := ts.expiration.RenewToken(req, te.Path, te.ID, increment)
resp, err := ts.expiration.RenewToken(ctx, req, te.Path, te.ID, increment)
if urltoken {
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)

42
vault/token_store_test.go
View File

@ -86,7 +86,7 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
},
ClientToken: entry.ID,
}
if err := ts.expiration.RegisterAuth(entry.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), entry.Path, auth); err != nil {
t.Fatal(err)
}
@ -130,7 +130,7 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
},
ClientToken: ent.ID,
}
if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), ent.Path, auth); err != nil {
t.Fatal(err)
}
@ -174,7 +174,7 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
},
ClientToken: ent.ID,
}
if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), ent.Path, auth); err != nil {
t.Fatal(err)
}
@ -215,7 +215,7 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
},
ClientToken: ent.ID,
}
if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), ent.Path, auth); err != nil {
t.Fatal(err)
}
@ -248,7 +248,7 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
},
ClientToken: ent.ID,
}
if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), ent.Path, auth); err != nil {
t.Fatal(err)
}
@ -294,7 +294,7 @@ func testMakeTokenViaRequest(t testing.TB, ts *TokenStore, req *logical.Request)
t.Fatalf("got nil token from create call")
}
if err := ts.expiration.RegisterAuth(resp.Auth.CreationPath, resp.Auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), resp.Auth.CreationPath, resp.Auth); err != nil {
t.Fatal(err)
}
@ -321,7 +321,7 @@ func testMakeTokenDirectly(t testing.TB, ts *TokenStore, te *logical.TokenEntry)
ExplicitMaxTTL: te.ExplicitMaxTTL,
CreationPath: te.Path,
}
if err := ts.expiration.RegisterAuth(te.Path, auth); err != nil {
if err := ts.expiration.RegisterAuth(context.Background(), te.Path, auth); err != nil {
t.Fatal(err)
}
}
@ -512,7 +512,7 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/create", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/create", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -708,7 +708,7 @@ func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) {
IssueTime: time.Now(),
ExpireTime: time.Now().Add(1 * time.Hour),
}
if err := ts.expiration.persistEntry(le); err != nil {
if err := ts.expiration.persistEntry(context.Background(), le); err != nil {
t.Fatalf("err: %v", err)
}
@ -722,7 +722,7 @@ func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) {
// Set to expired lease time
le.ExpireTime = time.Now().Add(-1 * time.Hour)
if err := ts.expiration.persistEntry(le); err != nil {
if err := ts.expiration.persistEntry(context.Background(), le); err != nil {
t.Fatalf("err: %v", err)
}
@ -893,7 +893,7 @@ func TestTokenStore_Revoke_Leases(t *testing.T) {
"secret_key": "abcd",
},
}
leaseID, err := ts.expiration.Register(req, resp)
leaseID, err := ts.expiration.Register(context.Background(), req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -907,7 +907,7 @@ func TestTokenStore_Revoke_Leases(t *testing.T) {
time.Sleep(200 * time.Millisecond)
// Verify the lease is gone
out, err := ts.expiration.loadEntry(leaseID)
out, err := ts.expiration.loadEntry(context.Background(), leaseID)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1584,7 +1584,7 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/create", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/create", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1598,7 +1598,7 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/create", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/create", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -2003,7 +2003,7 @@ func TestTokenStore_HandleRequest_Renew(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/root", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/root", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -2052,7 +2052,7 @@ func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/root", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/root", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -3989,7 +3989,7 @@ func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/create", auth)
err = exp.RegisterAuth(context.Background(), "auth/token/create", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -4011,7 +4011,7 @@ func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
leases := []string{}
for i := 0; i < 10; i++ {
leaseID, err := exp.Register(req, resp)
leaseID, err := exp.Register(context.Background(), req, resp)
if err != nil {
t.Fatal(err)
}
@ -4020,7 +4020,7 @@ func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
sort.Strings(leases)
storedLeases, err := exp.lookupLeasesByToken(tut)
storedLeases, err := exp.lookupLeasesByToken(context.Background(), tut)
if err != nil {
t.Fatal(err)
}
@ -4056,7 +4056,7 @@ func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
}
// Verify leases still exist
storedLeases, err = exp.lookupLeasesByToken(tut)
storedLeases, err = exp.lookupLeasesByToken(context.Background(), tut)
if err != nil {
t.Fatal(err)
}
@ -4071,7 +4071,7 @@ func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
time.Sleep(200 * time.Millisecond)
// Verify leases are gone
storedLeases, err = exp.lookupLeasesByToken(tut)
storedLeases, err = exp.lookupLeasesByToken(context.Background(), tut)
if err != nil {
t.Fatal(err)
}

2
vault/wrapping.go
View File

@ -259,7 +259,7 @@ DONELISTHANDLING:
}
// Register the wrapped token with the expiration manager
if err := c.expiration.RegisterAuth(te.Path, wAuth); err != nil {
if err := c.expiration.RegisterAuth(ctx, te.Path, wAuth); err != nil {
// Revoke since it's not yet being tracked for expiration
c.tokenStore.revokeOrphan(ctx, te.ID)
c.logger.Error("failed to register cubbyhole wrapping token lease", "request_path", req.Path, "error", err)