diff --git a/builtin/logical/database/dbplugin/client.go b/builtin/logical/database/dbplugin/client.go index 37cb629c4..82b43551c 100644 --- a/builtin/logical/database/dbplugin/client.go +++ b/builtin/logical/database/dbplugin/client.go @@ -32,12 +32,21 @@ func (dc *DatabasePluginClient) Close() error { // plugin. The client is wrapped in a DatabasePluginClient object to ensure the // plugin is killed on call of Close(). func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunner *pluginutil.PluginRunner, logger log.Logger) (Database, error) { - // pluginMap is the map of plugins we can dispense. - var pluginMap = map[string]plugin.Plugin{ - "database": new(DatabasePlugin), + // pluginSets is the map of plugins we can dispense. + pluginSets := map[int]plugin.PluginSet{ + // Version 3 supports both protocols + 3: plugin.PluginSet{ + "database": &DatabasePlugin{ + GRPCDatabasePlugin: new(GRPCDatabasePlugin), + }, + }, + // Version 4 only supports gRPC + 4: plugin.PluginSet{ + "database": new(GRPCDatabasePlugin), + }, } - client, err := pluginRunner.Run(ctx, sys, pluginMap, handshakeConfig, []string{}, logger) + client, err := pluginRunner.Run(ctx, sys, pluginSets, handshakeConfig, []string{}, logger) if err != nil { return nil, err } @@ -61,7 +70,7 @@ func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne case *gRPCClient: db = raw.(*gRPCClient) case *databasePluginRPCClient: - logger.Warn("plugin is using deprecated net RPC transport, recompile plugin to upgrade to gRPC", "plugin", pluginRunner.Name) + logger.Warn("plugin is using deprecated netRPC transport, recompile plugin to upgrade to gRPC", "plugin", pluginRunner.Name) db = raw.(*databasePluginRPCClient) default: return nil, errors.New("unsupported client type") diff --git a/builtin/logical/database/dbplugin/plugin.go b/builtin/logical/database/dbplugin/plugin.go index 502f97ebc..1a39e5e03 100644 --- a/builtin/logical/database/dbplugin/plugin.go +++ b/builtin/logical/database/dbplugin/plugin.go @@ -26,7 +26,7 @@ type Database interface { Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error) Close() error - // DEPRECATED, will be removed in 0.12 + // DEPRECATED, will be removed in 0.13 Initialize(ctx context.Context, config map[string]interface{}, verifyConnection bool) (err error) } @@ -104,25 +104,35 @@ func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRu // This prevents users from executing bad plugins or executing a plugin // directory. It is a UX feature, not a security feature. var handshakeConfig = plugin.HandshakeConfig{ - ProtocolVersion: 3, + ProtocolVersion: 4, MagicCookieKey: "VAULT_DATABASE_PLUGIN", MagicCookieValue: "926a0820-aea2-be28-51d6-83cdf00e8edb", } var _ plugin.Plugin = &DatabasePlugin{} var _ plugin.GRPCPlugin = &DatabasePlugin{} +var _ plugin.Plugin = &GRPCDatabasePlugin{} +var _ plugin.GRPCPlugin = &GRPCDatabasePlugin{} // DatabasePlugin implements go-plugin's Plugin interface. It has methods for // retrieving a server and a client instance of the plugin. type DatabasePlugin struct { - impl Database + *GRPCDatabasePlugin +} + +// GRPCDatabasePlugin is the plugin.Plugin implementation that only supports GRPC +// transport +type GRPCDatabasePlugin struct { + Impl Database + + // Embeding this will disable the netRPC protocol + plugin.NetRPCUnsupportedPlugin } func (d DatabasePlugin) Server(*plugin.MuxBroker) (interface{}, error) { impl := &DatabaseErrorSanitizerMiddleware{ - next: d.impl, + next: d.Impl, } - return &databasePluginRPCServer{impl: impl}, nil } @@ -130,16 +140,16 @@ func (DatabasePlugin) Client(b *plugin.MuxBroker, c *rpc.Client) (interface{}, e return &databasePluginRPCClient{client: c}, nil } -func (d DatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error { +func (d GRPCDatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error { impl := &DatabaseErrorSanitizerMiddleware{ - next: d.impl, + next: d.Impl, } RegisterDatabaseServer(s, &gRPCServer{impl: impl}) return nil } -func (DatabasePlugin) GRPCClient(doneCtx context.Context, _ *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) { +func (GRPCDatabasePlugin) GRPCClient(doneCtx context.Context, _ *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) { return &gRPCClient{ client: NewDatabaseClient(c), clientConn: c, diff --git a/builtin/logical/database/dbplugin/plugin_test.go b/builtin/logical/database/dbplugin/plugin_test.go index ff0416981..baaacb78d 100644 --- a/builtin/logical/database/dbplugin/plugin_test.go +++ b/builtin/logical/database/dbplugin/plugin_test.go @@ -127,6 +127,7 @@ func TestPlugin_NetRPC_Main(t *testing.T) { return } + os.Unsetenv(pluginutil.PluginVaultVersionEnv) p := &mockPlugin{ users: make(map[string][]string), } diff --git a/builtin/logical/database/dbplugin/server.go b/builtin/logical/database/dbplugin/server.go index 656c44b2d..9f1704935 100644 --- a/builtin/logical/database/dbplugin/server.go +++ b/builtin/logical/database/dbplugin/server.go @@ -15,24 +15,34 @@ func Serve(db Database, tlsProvider func() (*tls.Config, error)) { } func ServeConfig(db Database, tlsProvider func() (*tls.Config, error)) *plugin.ServeConfig { - dbPlugin := &DatabasePlugin{ - impl: db, - } - - // pluginMap is the map of plugins we can dispense. - var pluginMap = map[string]plugin.Plugin{ - "database": dbPlugin, + // pluginSets is the map of plugins we can dispense. + pluginSets := map[int]plugin.PluginSet{ + 3: plugin.PluginSet{ + "database": &DatabasePlugin{ + GRPCDatabasePlugin: &GRPCDatabasePlugin{ + Impl: db, + }, + }, + }, + 4: plugin.PluginSet{ + "database": &GRPCDatabasePlugin{ + Impl: db, + }, + }, } conf := &plugin.ServeConfig{ - HandshakeConfig: handshakeConfig, - Plugins: pluginMap, - TLSProvider: tlsProvider, - GRPCServer: plugin.DefaultGRPCServer, + HandshakeConfig: handshakeConfig, + VersionedPlugins: pluginSets, + TLSProvider: tlsProvider, + GRPCServer: plugin.DefaultGRPCServer, } + // If we do not have gRPC support fallback to version 3 + // Remove this block in 0.13 if !pluginutil.GRPCSupport() { conf.GRPCServer = nil + delete(conf.VersionedPlugins, 4) } return conf diff --git a/helper/pluginutil/env.go b/helper/pluginutil/env.go index 337c7b736..ed40c7fbf 100644 --- a/helper/pluginutil/env.go +++ b/helper/pluginutil/env.go @@ -35,32 +35,27 @@ func OptionallyEnableMlock() error { // it fails to meet the version constraint. func GRPCSupport() bool { verString := os.Getenv(PluginVaultVersionEnv) - // If the env var is empty, we fall back to netrpc for backward compatibility. if verString == "" { return false } - if verString != "unknown" { ver, err := version.NewVersion(verString) if err != nil { return true } - // Due to some regressions on 0.9.2 & 0.9.3 we now require version 0.9.4 // to allow the plugin framework to default to gRPC. constraint, err := version.NewConstraint(">= 0.9.4") if err != nil { return true } - return constraint.Check(ver) } - return true } -// Returns true if the plugin calling this function is running in metadata mode. +// InMetadataMode returns true if the plugin calling this function is running in metadata mode. func InMetadataMode() bool { return os.Getenv(PluginMetadataModeEnv) == "true" } diff --git a/helper/pluginutil/runner.go b/helper/pluginutil/runner.go index 41b32d946..74fe95cc2 100644 --- a/helper/pluginutil/runner.go +++ b/helper/pluginutil/runner.go @@ -22,7 +22,7 @@ type Looker interface { LookupPlugin(context.Context, string) (*PluginRunner, error) } -// Wrapper interface defines the functions needed by the runner to wrap the +// RunnerUtil interface defines the functions needed by the runner to wrap the // metadata needed to run a plugin process. This includes looking up Mlock // configuration and wrapping data in a response wrapped token. // logical.SystemView implementations satisfy this interface. @@ -31,7 +31,7 @@ type RunnerUtil interface { MlockEnabled() bool } -// LookWrapper defines the functions for both Looker and Wrapper +// LookRunnerUtil defines the functions for both Looker and Wrapper type LookRunnerUtil interface { Looker RunnerUtil @@ -52,19 +52,19 @@ type PluginRunner struct { // Run takes a wrapper RunnerUtil instance along with the go-plugin parameters and // returns a configured plugin.Client with TLS Configured and a wrapping token set // on PluginUnwrapTokenEnv for plugin process consumption. -func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginMap map[string]plugin.Plugin, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) { - return r.runCommon(ctx, wrapper, pluginMap, hs, env, logger, false) +func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginSets map[int]plugin.PluginSet, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) { + return r.runCommon(ctx, wrapper, pluginSets, hs, env, logger, false) } // RunMetadataMode returns a configured plugin.Client that will dispense a plugin // in metadata mode. The PluginMetadataModeEnv is passed in as part of the Cmd to // plugin.Client, and consumed by the plugin process on pluginutil.VaultPluginTLSProvider. -func (r *PluginRunner) RunMetadataMode(ctx context.Context, wrapper RunnerUtil, pluginMap map[string]plugin.Plugin, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) { - return r.runCommon(ctx, wrapper, pluginMap, hs, env, logger, true) +func (r *PluginRunner) RunMetadataMode(ctx context.Context, wrapper RunnerUtil, pluginSets map[int]plugin.PluginSet, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) { + return r.runCommon(ctx, wrapper, pluginSets, hs, env, logger, true) } -func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, pluginMap map[string]plugin.Plugin, hs plugin.HandshakeConfig, env []string, logger log.Logger, isMetadataMode bool) (*plugin.Client, error) { +func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, pluginSets map[int]plugin.PluginSet, hs plugin.HandshakeConfig, env []string, logger log.Logger, isMetadataMode bool) (*plugin.Client, error) { cmd := exec.Command(r.Command, r.Args...) // `env` should always go last to avoid overwriting internal values that might @@ -115,12 +115,12 @@ func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, plugin } clientConfig := &plugin.ClientConfig{ - HandshakeConfig: hs, - Plugins: pluginMap, - Cmd: cmd, - SecureConfig: secureConfig, - TLSConfig: clientTLSConfig, - Logger: logger, + HandshakeConfig: hs, + VersionedPlugins: pluginSets, + Cmd: cmd, + SecureConfig: secureConfig, + TLSConfig: clientTLSConfig, + Logger: logger, AllowedProtocols: []plugin.Protocol{ plugin.ProtocolNetRPC, plugin.ProtocolGRPC, @@ -132,6 +132,8 @@ func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, plugin return client, nil } +// APIClientMeta is a helper that plugins can use to configure TLS connections +// back to Vault. type APIClientMeta struct { // These are set by the command line flags. flagCACert string @@ -141,6 +143,7 @@ type APIClientMeta struct { flagInsecure bool } +// FlagSet returns the flag set for configuring the TLS connection func (f *APIClientMeta) FlagSet() *flag.FlagSet { fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError) @@ -153,6 +156,7 @@ func (f *APIClientMeta) FlagSet() *flag.FlagSet { return fs } +// GetTLSConfig will return a TLSConfig based off the values from the flags func (f *APIClientMeta) GetTLSConfig() *api.TLSConfig { // If we need custom TLS configuration, then set it if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure { @@ -171,7 +175,7 @@ func (f *APIClientMeta) GetTLSConfig() *api.TLSConfig { return nil } -// CancelIfCanceled takes a context cancel func and a context. If the context is +// CtxCancelIfCanceled takes a context cancel func and a context. If the context is // shutdown the cancelfunc is called. This is useful for merging two cancel // functions. func CtxCancelIfCanceled(f context.CancelFunc, ctxCanceler context.Context) chan struct{} { diff --git a/logical/plugin/backend.go b/logical/plugin/backend.go index b55a0aaef..ac367c165 100644 --- a/logical/plugin/backend.go +++ b/logical/plugin/backend.go @@ -13,11 +13,25 @@ import ( "github.com/hashicorp/vault/logical/plugin/pb" ) +var _ plugin.Plugin = (*BackendPlugin)(nil) +var _ plugin.GRPCPlugin = (*BackendPlugin)(nil) +var _ plugin.Plugin = (*GRPCBackendPlugin)(nil) +var _ plugin.GRPCPlugin = (*GRPCBackendPlugin)(nil) + // BackendPlugin is the plugin.Plugin implementation type BackendPlugin struct { + *GRPCBackendPlugin +} + +// GRPCBackendPlugin is the plugin.Plugin implementation that only supports GRPC +// transport +type GRPCBackendPlugin struct { Factory logical.Factory - metadataMode bool + MetadataMode bool Logger log.Logger + + // Embeding this will disable the netRPC protocol + plugin.NetRPCUnsupportedPlugin } // Server gets called when on plugin.Serve() @@ -33,10 +47,14 @@ func (b *BackendPlugin) Server(broker *plugin.MuxBroker) (interface{}, error) { // Client gets called on plugin.NewClient() func (b BackendPlugin) Client(broker *plugin.MuxBroker, c *rpc.Client) (interface{}, error) { - return &backendPluginClient{client: c, broker: broker, metadataMode: b.metadataMode}, nil + return &backendPluginClient{ + client: c, + broker: broker, + metadataMode: b.MetadataMode, + }, nil } -func (b BackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error { +func (b GRPCBackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error { pb.RegisterBackendServer(s, &backendGRPCPluginServer{ broker: broker, factory: b.Factory, @@ -47,13 +65,14 @@ func (b BackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) err return nil } -func (p *BackendPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) { +func (b *GRPCBackendPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) { ret := &backendGRPCPluginClient{ - client: pb.NewBackendClient(c), - clientConn: c, - broker: broker, - cleanupCh: make(chan struct{}), - doneCtx: ctx, + client: pb.NewBackendClient(c), + clientConn: c, + broker: broker, + cleanupCh: make(chan struct{}), + doneCtx: ctx, + metadataMode: b.MetadataMode, } // Create the value and set the type diff --git a/logical/plugin/backend_test.go b/logical/plugin/backend_test.go index 329450649..d36d7639f 100644 --- a/logical/plugin/backend_test.go +++ b/logical/plugin/backend_test.go @@ -140,7 +140,9 @@ func testBackend(t *testing.T) (logical.Backend, func()) { // Create a mock provider pluginMap := map[string]gplugin.Plugin{ "backend": &BackendPlugin{ - Factory: mock.Factory, + GRPCBackendPlugin: &GRPCBackendPlugin{ + Factory: mock.Factory, + }, }, } client, _ := gplugin.TestPluginRPCConn(t, pluginMap, nil) diff --git a/logical/plugin/grpc_backend_test.go b/logical/plugin/grpc_backend_test.go index 344815294..63d125139 100644 --- a/logical/plugin/grpc_backend_test.go +++ b/logical/plugin/grpc_backend_test.go @@ -141,12 +141,14 @@ func testGRPCBackend(t *testing.T) (logical.Backend, func()) { // Create a mock provider pluginMap := map[string]gplugin.Plugin{ "backend": &BackendPlugin{ - Factory: mock.Factory, - Logger: log.New(&log.LoggerOptions{ - Level: log.Debug, - Output: os.Stderr, - JSONFormat: true, - }), + GRPCBackendPlugin: &GRPCBackendPlugin{ + Factory: mock.Factory, + Logger: log.New(&log.LoggerOptions{ + Level: log.Debug, + Output: os.Stderr, + JSONFormat: true, + }), + }, }, } client, _ := gplugin.TestPluginGRPCConn(t, pluginMap) diff --git a/logical/plugin/plugin.go b/logical/plugin/plugin.go index 754494b8f..7ef3a5577 100644 --- a/logical/plugin/plugin.go +++ b/logical/plugin/plugin.go @@ -96,9 +96,18 @@ func NewBackend(ctx context.Context, pluginName string, sys pluginutil.LookRunne func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunner *pluginutil.PluginRunner, logger log.Logger, isMetadataMode bool) (logical.Backend, error) { // pluginMap is the map of plugins we can dispense. - pluginMap := map[string]plugin.Plugin{ - "backend": &BackendPlugin{ - metadataMode: isMetadataMode, + pluginSet := map[int]plugin.PluginSet{ + 3: plugin.PluginSet{ + "backend": &BackendPlugin{ + GRPCBackendPlugin: &GRPCBackendPlugin{ + MetadataMode: isMetadataMode, + }, + }, + }, + 4: plugin.PluginSet{ + "backend": &GRPCBackendPlugin{ + MetadataMode: isMetadataMode, + }, }, } @@ -107,9 +116,9 @@ func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne var client *plugin.Client var err error if isMetadataMode { - client, err = pluginRunner.RunMetadataMode(ctx, sys, pluginMap, handshakeConfig, []string{}, namedLogger) + client, err = pluginRunner.RunMetadataMode(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger) } else { - client, err = pluginRunner.Run(ctx, sys, pluginMap, handshakeConfig, []string{}, namedLogger) + client, err = pluginRunner.Run(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger) } if err != nil { return nil, err @@ -133,6 +142,7 @@ func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne // implementation but is in fact over an RPC connection. switch raw.(type) { case *backendPluginClient: + logger.Warn("plugin is using deprecated netRPC transport, recompile plugin to upgrade to gRPC", "plugin", pluginRunner.Name) backend = raw.(*backendPluginClient) transport = "netRPC" case *backendGRPCPluginClient: diff --git a/logical/plugin/serve.go b/logical/plugin/serve.go index 9dd57f8d7..97b9f28bd 100644 --- a/logical/plugin/serve.go +++ b/logical/plugin/serve.go @@ -14,7 +14,7 @@ import ( ) // BackendPluginName is the name of the plugin that can be -// dispensed rom the plugin server. +// dispensed from the plugin server. const BackendPluginName = "backend" type TLSProviderFunc func() (*tls.Config, error) @@ -38,10 +38,20 @@ func Serve(opts *ServeOpts) error { } // pluginMap is the map of plugins we can dispense. - var pluginMap = map[string]plugin.Plugin{ - "backend": &BackendPlugin{ - Factory: opts.BackendFactoryFunc, - Logger: logger, + pluginSets := map[int]plugin.PluginSet{ + 3: plugin.PluginSet{ + "backend": &BackendPlugin{ + GRPCBackendPlugin: &GRPCBackendPlugin{ + Factory: opts.BackendFactoryFunc, + Logger: logger, + }, + }, + }, + 4: plugin.PluginSet{ + "backend": &GRPCBackendPlugin{ + Factory: opts.BackendFactoryFunc, + Logger: logger, + }, }, } @@ -51,10 +61,10 @@ func Serve(opts *ServeOpts) error { } serveOpts := &plugin.ServeConfig{ - HandshakeConfig: handshakeConfig, - Plugins: pluginMap, - TLSProvider: opts.TLSProviderFunc, - Logger: logger, + HandshakeConfig: handshakeConfig, + VersionedPlugins: pluginSets, + TLSProvider: opts.TLSProviderFunc, + Logger: logger, // A non-nil value here enables gRPC serving for this plugin... GRPCServer: func(opts []grpc.ServerOption) *grpc.Server { @@ -64,11 +74,13 @@ func Serve(opts *ServeOpts) error { }, } + // If we do not have gRPC support fallback to version 3 + // Remove this block in 0.13 if !pluginutil.GRPCSupport() { serveOpts.GRPCServer = nil + delete(pluginSets, 4) } - // If FetchMetadata is true, run without TLSProvider plugin.Serve(serveOpts) return nil @@ -79,7 +91,7 @@ func Serve(opts *ServeOpts) error { // This prevents users from executing bad plugins or executing a plugin // directory. It is a UX feature, not a security feature. var handshakeConfig = plugin.HandshakeConfig{ - ProtocolVersion: 3, + ProtocolVersion: 4, MagicCookieKey: "VAULT_BACKEND_PLUGIN", MagicCookieValue: "6669da05-b1c8-4f49-97d9-c8e5bed98e20", }