Remove recreate parameter from clientEC2

2016-04-27 20:01:39 -04:00 · 2016-04-27 20:01:39 -04:00 · e1080f86ed
parent 441477f342
commit e1080f86ed
4 changed files with 59 additions and 23 deletions
--- a/builtin/credential/aws/backend.go
+++ b/builtin/credential/aws/backend.go
@ -27,6 +27,8 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) {
 	}

 	b := &backend{
+		// Setting the periodic func to be run once in an hour.
+		// If there is a real need, this can be made configurable.
 		tidyCooldownPeriod: time.Hour,
 		Salt:               salt,
 		EC2ClientsMap:      make(map[string]*ec2.EC2),
@ -67,20 +69,30 @@ type backend struct {
 	*framework.Backend
 	Salt *salt.Salt

-	configMutex        sync.RWMutex
-	tidyCooldownPeriod time.Duration
-	nextTidyTime       time.Time
+	// Lock to make changes to any of the backend's configuration endpoints.
+	configMutex sync.RWMutex

+	// Duration after which the periodic function of the backend needs to be
+	// executed.
+	tidyCooldownPeriod time.Duration
+
+	// Var that holds the time at which the periodic func should initiatite
+	// the tidy operations.
+	nextTidyTime time.Time
+
+	// Map to hold the EC2 client objects indexed by region. This avoids the
+	// overhead of creating a client object for every login request.
 	EC2ClientsMap map[string]*ec2.EC2
 }

 // periodicFunc performs the tasks that the backend wishes to do periodically.
 // Currently this will be triggered once in a minute by the RollbackManager.
+//
 // The tasks being done are to cleanup the expired entries of both blacklist
-// and whitelist.
+// and whitelist. Tidying is done not once in a minute, but once in an hour.
+// Tidying of blacklist and whitelist are by default enabled. This can be
+// changed using `config/tidy/roletags` and `config/tidy/identities` endpoints.
 func (b *backend) periodicFunc(req *logical.Request) error {
-	b.configMutex.Lock()
-	defer b.configMutex.Unlock()
 	if b.nextTidyTime.IsZero() || !time.Now().Before(b.nextTidyTime) {
 		// safety_buffer defaults to 72h
 		safety_buffer := 259200
@ -89,12 +101,16 @@ func (b *backend) periodicFunc(req *logical.Request) error {
 			return err
 		}
 		skipBlacklistTidy := false
+		// check if tidying of role tags was configured
 		if tidyBlacklistConfigEntry != nil {
+			// check if periodic tidying of role tags was disabled
 			if tidyBlacklistConfigEntry.DisablePeriodicTidy {
 				skipBlacklistTidy = true
 			}
+			// overwrite the default safety_buffer with the configured value
 			safety_buffer = tidyBlacklistConfigEntry.SafetyBuffer
 		}
+		// tidy role tags if explicitly not disabled
 		if !skipBlacklistTidy {
 			tidyBlacklistRoleTag(req.Storage, safety_buffer)
 		}
@ -106,28 +122,37 @@ func (b *backend) periodicFunc(req *logical.Request) error {
 			return err
 		}
 		skipWhitelistTidy := false
+		// check if tidying of identities was configured
 		if tidyWhitelistConfigEntry != nil {
+			// check if periodic tidying of identities was disabled
 			if tidyWhitelistConfigEntry.DisablePeriodicTidy {
 				skipWhitelistTidy = true
 			}
+			// overwrite the default safety_buffer with the configured value
 			safety_buffer = tidyWhitelistConfigEntry.SafetyBuffer
 		}
+		// tidy identities if explicitly not disabled
 		if !skipWhitelistTidy {
 			tidyWhitelistIdentity(req.Storage, safety_buffer)
 		}

-		// Update the lastTidyTime
+		// Update the nextTidyTime
 		b.nextTidyTime = time.Now().Add(b.tidyCooldownPeriod)
 	}
 	return nil
 }

 const backendHelp = `
-AWS auth backend takes in a AWS EC2 instance identity document, its PKCS#7 signature
-and a client created nonce to authenticates the instance with Vault.
+AWS auth backend takes in PKCS#7 signature of an AWS EC2 instance and a client
+created nonce to authenticates the EC2 instance with Vault.

 Authentication is backed by a preconfigured association of AMIs to Vault's policies
-through 'image/<ami_id>' endpoint. For instances that share an AMI, an instance tag can
-be created through 'image/<ami_id>/tag'. This tag should be attached to the EC2 instance
-before the instance attempts to login to Vault.
+through 'image/<ami_id>' endpoint. All the instances that are using this AMI will
+get the policies configured on the AMI.
+
+If there is need to further restrict the policies set on the AMI, 'role_tag' option
+can be enabled on the AMI and a tag can be generated using 'image/<ami_id>/roletag'
+endpoint. This tag represents the subset of capabilities set on the AMI. When the
+'role_tag' option is enabled on the AMI, the login operation requires that a respective
+role tag is attached to the EC2 instance that is performing the login.
 `
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws/backend_test.go
@ -23,8 +23,6 @@ func TestBackend_CreateParseVerifyRoleTag(t *testing.T) {
 		t.Fatal(err)
 	}

-	backend := b.(*backend)
-
 	// create an entry for ami
 	data := map[string]interface{}{
 		"policies": "p,q,r,s",
--- a/builtin/credential/aws/client.go
+++ b/builtin/credential/aws/client.go
@ -32,6 +32,7 @@ func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config
 	if config != nil {
 		switch {
 		case config.AccessKey != "" && config.SecretKey != "":
+			// Add the static credential provider
 			providers = append(providers, &credentials.StaticProvider{
 				Value: credentials.Value{
 					AccessKeyID:     config.AccessKey,
@ -45,8 +46,10 @@ func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config
 		}
 	}

+	// Add the environment credential provider
 	providers = append(providers, &credentials.EnvProvider{})

+	// Add the instance metadata role provider
 	// Create the credentials required to access the API.
 	providers = append(providers, &ec2rolecreds.EC2RoleProvider{
 		Client: ec2metadata.New(session.New(&aws.Config{
@ -70,34 +73,44 @@ func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config
 }

 // flushCachedEC2Clients deletes all the cached ec2 client objects from the backend.
+// If the client credentials configuration is deleted or updated in the backend, all
+// the cached EC2 client objects will be flushed.
 func (b *backend) flushCachedEC2Clients() {
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()

+	// deleting items in map during iteration is safe.
 	for region, _ := range b.EC2ClientsMap {
 		delete(b.EC2ClientsMap, region)
 	}
 }

 // clientEC2 creates a client to interact with AWS EC2 API.
-func (b *backend) clientEC2(s logical.Storage, region string, recreate bool) (*ec2.EC2, error) {
-	if !recreate {
-		b.configMutex.RLock()
-		if b.EC2ClientsMap[region] != nil {
-			defer b.configMutex.RUnlock()
-			return b.EC2ClientsMap[region], nil
-		}
-		b.configMutex.RUnlock()
+func (b *backend) clientEC2(s logical.Storage, region string) (*ec2.EC2, error) {
+	b.configMutex.RLock()
+	if b.EC2ClientsMap[region] != nil {
+		defer b.configMutex.RUnlock()
+		// If the client object was already created, return it.
+		return b.EC2ClientsMap[region], nil
 	}

+	// Release the read lock and acquire the write lock.
+	b.configMutex.RUnlock()
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()

+	// If the client gets created while switching the locks, return it.
+	if b.EC2ClientsMap[region] != nil {
+		return b.EC2ClientsMap[region], nil
+	}
+
+	// Fetch the configured credentials
 	awsConfig, err := b.getClientConfig(s, region)
 	if err != nil {
 		return nil, err
 	}

+	// Create a new EC2 client object, cache it and return the same.
 	b.EC2ClientsMap[region] = ec2.New(session.New(awsConfig))
 	return b.EC2ClientsMap[region], nil
 }
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@ -42,7 +42,7 @@ func pathLogin(b *backend) *framework.Path {
 // checks if the instance is running and is healthy.
 func (b *backend) validateInstance(s logical.Storage, identityDoc *identityDocument) (*ec2.DescribeInstancesOutput, error) {
 	// Create an EC2 client to pull the instance information
-	ec2Client, err := b.clientEC2(s, identityDoc.Region, false)
+	ec2Client, err := b.clientEC2(s, identityDoc.Region)
 	if err != nil {
 		return nil, err
 	}