d8f7dd364a
* audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf()
272 lines
8.5 KiB
Go
272 lines
8.5 KiB
Go
package approle
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"sync/atomic"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
"github.com/hashicorp/vault/sdk/helper/locksutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func pathTidySecretID(b *backend) *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "tidy/secret-id$",
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.UpdateOperation: b.pathTidySecretIDUpdate,
|
|
},
|
|
|
|
HelpSynopsis: pathTidySecretIDSyn,
|
|
HelpDescription: pathTidySecretIDDesc,
|
|
}
|
|
}
|
|
|
|
// tidySecretID is used to delete entries in the whitelist that are expired.
|
|
func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logical.Response, error) {
|
|
// If we are a performance standby forward the request to the active node
|
|
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
|
|
return nil, logical.ErrReadOnly
|
|
}
|
|
|
|
if !atomic.CompareAndSwapUint32(b.tidySecretIDCASGuard, 0, 1) {
|
|
resp := &logical.Response{}
|
|
resp.AddWarning("Tidy operation already in progress.")
|
|
return resp, nil
|
|
}
|
|
|
|
go b.tidySecretIDinternal(req.Storage)
|
|
|
|
resp := &logical.Response{}
|
|
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
|
|
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
|
|
}
|
|
|
|
type tidyHelperSecretIDAccessor struct {
|
|
secretIDAccessorStorageEntry
|
|
saltedSecretIDAccessor string
|
|
}
|
|
|
|
func (b *backend) tidySecretIDinternal(s logical.Storage) {
|
|
defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)
|
|
|
|
logger := b.Logger().Named("tidy")
|
|
|
|
checkCount := 0
|
|
|
|
defer func() {
|
|
logger.Trace("done checking entries", "num_entries", checkCount)
|
|
}()
|
|
|
|
// Don't cancel when the original client request goes away
|
|
ctx := context.Background()
|
|
|
|
salt, err := b.Salt(ctx)
|
|
if err != nil {
|
|
logger.Error("error tidying secret IDs", "error", err)
|
|
return
|
|
}
|
|
|
|
tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {
|
|
logger.Trace("listing accessors", "prefix", accessorIDPrefixToUse)
|
|
|
|
// List all the accessors and add them all to a map
|
|
// These hashes are the result of salting the accessor id.
|
|
accessorHashes, err := s.List(ctx, accessorIDPrefixToUse)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
skipHashes := make(map[string]bool, len(accessorHashes))
|
|
accHashesByLockID := make([][]tidyHelperSecretIDAccessor, 256)
|
|
for _, accessorHash := range accessorHashes {
|
|
var entry secretIDAccessorStorageEntry
|
|
entryIndex := accessorIDPrefixToUse + accessorHash
|
|
se, err := s.Get(ctx, entryIndex)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if se == nil {
|
|
continue
|
|
}
|
|
err = se.DecodeJSON(&entry)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
lockIdx := locksutil.LockIndexForKey(entry.SecretIDHMAC)
|
|
accHashesByLockID[lockIdx] = append(accHashesByLockID[lockIdx], tidyHelperSecretIDAccessor{
|
|
secretIDAccessorStorageEntry: entry,
|
|
saltedSecretIDAccessor: accessorHash,
|
|
})
|
|
}
|
|
|
|
secretIDCleanupFunc := func(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse string) error {
|
|
checkCount++
|
|
lock := b.secretIDLock(secretIDHMAC)
|
|
lock.Lock()
|
|
defer lock.Unlock()
|
|
|
|
entryIndex := fmt.Sprintf("%s%s%s", secretIDPrefixToUse, roleNameHMAC, secretIDHMAC)
|
|
secretIDEntry, err := s.Get(ctx, entryIndex)
|
|
if err != nil {
|
|
return fmt.Errorf("error fetching SecretID %q: %w", secretIDHMAC, err)
|
|
}
|
|
|
|
if secretIDEntry == nil {
|
|
logger.Error("entry for secret id was nil", "secret_id_hmac", secretIDHMAC)
|
|
return nil
|
|
}
|
|
|
|
if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 {
|
|
return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)
|
|
}
|
|
|
|
var result secretIDStorageEntry
|
|
if err := secretIDEntry.DecodeJSON(&result); err != nil {
|
|
return err
|
|
}
|
|
|
|
// If a secret ID entry does not have a corresponding accessor
|
|
// entry, revoke the secret ID immediately
|
|
accessorEntry, err := b.secretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read secret ID accessor entry: %w", err)
|
|
}
|
|
if accessorEntry == nil {
|
|
logger.Trace("found nil accessor")
|
|
if err := s.Delete(ctx, entryIndex); err != nil {
|
|
return fmt.Errorf("error deleting secret ID %q from storage: %w", secretIDHMAC, err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ExpirationTime not being set indicates non-expiring SecretIDs
|
|
if !result.ExpirationTime.IsZero() && time.Now().After(result.ExpirationTime) {
|
|
logger.Trace("found expired secret ID")
|
|
// Clean up the accessor of the secret ID first
|
|
err = b.deleteSecretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to delete secret ID accessor entry: %w", err)
|
|
}
|
|
|
|
if err := s.Delete(ctx, entryIndex); err != nil {
|
|
return fmt.Errorf("error deleting SecretID %q from storage: %w", secretIDHMAC, err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// At this point, the secret ID is not expired and is valid. Flag
|
|
// the corresponding accessor as not needing attention.
|
|
skipHashes[salt.SaltID(result.SecretIDAccessor)] = true
|
|
|
|
return nil
|
|
}
|
|
|
|
logger.Trace("listing role HMACs", "prefix", secretIDPrefixToUse)
|
|
|
|
roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, roleNameHMAC := range roleNameHMACs {
|
|
logger.Trace("listing secret ID HMACs", "role_hmac", roleNameHMAC)
|
|
secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, secretIDHMAC := range secretIDHMACs {
|
|
err = secretIDCleanupFunc(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
// Accessor indexes were not getting cleaned up until 0.9.3. This is a fix
|
|
// to clean up the dangling accessor entries.
|
|
if len(accessorHashes) > len(skipHashes) {
|
|
// There is some raciness here because we're querying secretids for
|
|
// roles without having a lock while doing so. Because
|
|
// accHashesByLockID was populated previously, at worst this may
|
|
// mean that we fail to clean up something we ought to.
|
|
allSecretIDHMACs := make(map[string]struct{})
|
|
for _, roleNameHMAC := range roleNameHMACs {
|
|
secretIDHMACs, err := s.List(ctx, secretIDPrefixToUse+roleNameHMAC)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, v := range secretIDHMACs {
|
|
allSecretIDHMACs[v] = struct{}{}
|
|
}
|
|
}
|
|
|
|
tidyEntries := func(entries []tidyHelperSecretIDAccessor) error {
|
|
for _, entry := range entries {
|
|
// Don't clean up accessor index entry if secretid cleanup func
|
|
// determined that it should stay.
|
|
if _, ok := skipHashes[entry.saltedSecretIDAccessor]; ok {
|
|
continue
|
|
}
|
|
|
|
// Don't clean up accessor index entry if referenced in role.
|
|
if _, ok := allSecretIDHMACs[entry.SecretIDHMAC]; ok {
|
|
continue
|
|
}
|
|
|
|
if err := s.Delete(context.Background(), accessorIDPrefixToUse+entry.saltedSecretIDAccessor); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
for lockIdx, entries := range accHashesByLockID {
|
|
// Ideally, locking on accessors should be performed here too
|
|
// but for that, accessors are required in plaintext, which are
|
|
// not available.
|
|
// ...
|
|
// The lock is held when writing accessor/secret so if we have
|
|
// the lock we know we're not in a
|
|
// wrote-accessor-but-not-yet-secret case, which can be racy.
|
|
b.secretIDLocks[lockIdx].Lock()
|
|
err = tidyEntries(entries)
|
|
b.secretIDLocks[lockIdx].Unlock()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
|
|
if err != nil {
|
|
logger.Error("error tidying global secret IDs", "error", err)
|
|
return
|
|
}
|
|
err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
|
|
if err != nil {
|
|
logger.Error("error tidying local secret IDs", "error", err)
|
|
return
|
|
}
|
|
}
|
|
|
|
// pathTidySecretIDUpdate is used to delete the expired SecretID entries
|
|
func (b *backend) pathTidySecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
return b.tidySecretID(ctx, req)
|
|
}
|
|
|
|
const (
|
|
pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."
|
|
pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
|
|
of the backend will look for expired entries and delete them. This happens once in a minute. Invoking
|
|
this endpoint will trigger the clean-up action, without waiting for the backend's periodic function.`
|
|
)
|