open-vault/sdk/plugin/pb/backend.proto
swayne275 335e4c3711
Introduce Logical Unrecoverable Error, Use it in Expiration Manager (#11477)
* build out zombie lease system

* add typo for CI

* undo test CI commit

* time equality test isn't working on CI, so let's see what this does...

* add unrecoverable proto error, make proto, go mod vendor

* zombify leases if unrecoverable error, tests

* test fix: somehow pointer in pointer rx is null after pointer rx called

* tweaks based on roy feedback

* improve zombie errors

* update which errors are unrecoverable

* combine zombie logic

* keep subset of zombie lease in memory
2021-05-03 17:56:06 -06:00

624 lines
19 KiB
Protocol Buffer

syntax = "proto3";
package pb;
option go_package = "github.com/hashicorp/vault/sdk/plugin/pb";
import "google/protobuf/timestamp.proto";
import "sdk/logical/identity.proto";
import "sdk/logical/plugin.proto";
message Empty {}
message Header {
repeated string header = 1;
}
message ProtoError {
// Error type can be one of:
// ErrTypeUnknown uint32 = iota
// ErrTypeUserError
// ErrTypeInternalError
// ErrTypeCodedError
// ErrTypeStatusBadRequest
// ErrTypeUnsupportedOperation
// ErrTypeUnsupportedPath
// ErrTypeInvalidRequest
// ErrTypePermissionDenied
// ErrTypeMultiAuthzPending
// ErrTypeUnrecoverable
uint32 err_type = 1;
string err_msg = 2;
int64 err_code = 3;
}
// Paths is the structure of special paths that is used for SpecialPaths.
message Paths {
// Root are the paths that require a root token to access
repeated string root = 1;
// Unauthenticated are the paths that can be accessed without any auth.
repeated string unauthenticated = 2;
// LocalStorage are paths (prefixes) that are local to this instance; this
// indicates that these paths should not be replicated
repeated string local_storage = 3;
// SealWrapStorage are storage paths that, when using a capable seal,
// should be seal wrapped with extra encryption. It is exact matching
// unless it ends with '/' in which case it will be treated as a prefix.
repeated string seal_wrap_storage = 4;
}
message Request {
// Id is the uuid associated with each request
string id = 1;
// If set, the name given to the replication secondary where this request
// originated
string ReplicationCluster = 2;
// Operation is the requested operation type
string operation = 3;
// Path is the part of the request path not consumed by the
// routing. As an example, if the original request path is "prod/aws/foo"
// and the AWS logical backend is mounted at "prod/aws/", then the
// final path is "foo" since the mount prefix is trimmed.
string path = 4;
// Request data is a JSON object that must have keys with string type.
string data = 5;
// Secret will be non-nil only for Revoke and Renew operations
// to represent the secret that was returned prior.
Secret secret = 6;
// Auth will be non-nil only for Renew operations
// to represent the auth that was returned prior.
Auth auth = 7;
// Headers will contain the http headers from the request. This value will
// be used in the audit broker to ensure we are auditing only the allowed
// headers.
map<string, Header> headers = 8;
// ClientToken is provided to the core so that the identity
// can be verified and ACLs applied. This value is passed
// through to the logical backends but after being salted and
// hashed.
string client_token = 9;
// ClientTokenAccessor is provided to the core so that the it can get
// logged as part of request audit logging.
string client_token_accessor = 10;
// DisplayName is provided to the logical backend to help associate
// dynamic secrets with the source entity. This is not a sensitive
// name, but is useful for operators.
string display_name = 11;
// MountPoint is provided so that a logical backend can generate
// paths relative to itself. The `Path` is effectively the client
// request path with the MountPoint trimmed off.
string mount_point = 12;
// MountType is provided so that a logical backend can make decisions
// based on the specific mount type (e.g., if a mount type has different
// aliases, generating different defaults depending on the alias)
string mount_type = 13;
// MountAccessor is provided so that identities returned by the authentication
// backends can be tied to the mount it belongs to.
string mount_accessor = 14;
// WrapInfo contains requested response wrapping parameters
RequestWrapInfo wrap_info = 15;
// ClientTokenRemainingUses represents the allowed number of uses left on the
// token supplied
int64 client_token_remaining_uses = 16;
// EntityID is the identity of the caller extracted out of the token used
// to make this request
string entity_id = 17;
// PolicyOverride indicates that the requestor wishes to override
// soft-mandatory Sentinel policies
bool policy_override = 18;
// Whether the request is unauthenticated, as in, had no client token
// attached. Useful in some situations where the client token is not made
// accessible.
bool unauthenticated = 19;
// Connection will be non-nil only for credential providers to
// inspect the connection information and potentially use it for
// authentication/protection.
Connection connection = 20;
}
message Auth {
LeaseOptions lease_options = 1;
// InternalData is a JSON object that is stored with the auth struct.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
string internal_data = 2;
// DisplayName is a non-security sensitive identifier that is
// applicable to this Auth. It is used for logging and prefixing
// of dynamic secrets. For example, DisplayName may be "armon" for
// the github credential backend. If the client token is used to
// generate a SQL credential, the user may be "github-armon-uuid".
// This is to help identify the source without using audit tables.
string display_name = 3;
// Policies is the list of policies that the authenticated user
// is associated with.
repeated string policies = 4;
// Metadata is used to attach arbitrary string-type metadata to
// an authenticated user. This metadata will be outputted into the
// audit log.
map<string, string> metadata = 5;
// ClientToken is the token that is generated for the authentication.
// This will be filled in by Vault core when an auth structure is
// returned. Setting this manually will have no effect.
string client_token = 6;
// Accessor is the identifier for the ClientToken. This can be used
// to perform management functionalities (especially revocation) when
// ClientToken in the audit logs are obfuscated. Accessor can be used
// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
// both without actually knowing the ClientToken.
string accessor = 7;
// Period indicates that the token generated using this Auth object
// should never expire. The token should be renewed within the duration
// specified by this period.
int64 period = 8;
// Number of allowed uses of the issued token
int64 num_uses = 9;
// EntityID is the identifier of the entity in identity store to which the
// identity of the authenticating client belongs to.
string entity_id = 10;
// Alias is the information about the authenticated client returned by
// the auth backend
logical.Alias alias = 11;
// GroupAliases are the informational mappings of external groups which an
// authenticated user belongs to. This is used to check if there are
// mappings groups for the group aliases in identity store. For all the
// matching groups, the entity ID of the user will be added.
repeated logical.Alias group_aliases = 12;
// If set, restricts usage of the certificates to client IPs falling within
// the range of the specified CIDR(s).
repeated string bound_cidrs = 13;
// TokenPolicies and IdentityPolicies break down the list in Policies to
// help determine where a policy was sourced
repeated string token_policies = 14;
repeated string identity_policies = 15;
// Explicit maximum lifetime for the token. Unlike normal TTLs, the maximum
// TTL is a hard limit and cannot be exceeded, also counts for periodic tokens.
int64 explicit_max_ttl = 16;
// TokenType is the type of token being requested
uint32 token_type = 17;
// Whether the default policy should be added automatically by core
bool no_default_policy = 18;
}
message TokenEntry {
string id = 1;
string accessor = 2;
string parent = 3;
repeated string policies = 4;
string path = 5;
map<string, string> meta = 6;
string display_name = 7;
int64 num_uses = 8;
int64 creation_time = 9;
int64 ttl = 10;
int64 explicit_max_ttl = 11;
string role = 12;
int64 period = 13;
string entity_id = 14;
repeated string bound_cidrs = 15;
string namespace_id = 16;
string cubbyhole_id = 17;
uint32 type = 18;
}
message LeaseOptions {
int64 TTL = 1;
bool renewable = 2;
int64 increment = 3;
google.protobuf.Timestamp issue_time = 4;
int64 MaxTTL = 5;
}
message Secret {
LeaseOptions lease_options = 1;
// InternalData is a JSON object that is stored with the secret.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
string internal_data = 2;
// LeaseID is the ID returned to the user to manage this secret.
// This is generated by Vault core. Any set value will be ignored.
// For requests, this will always be blank.
string lease_id = 3;
}
message Response {
// Secret, if not nil, denotes that this response represents a secret.
Secret secret = 1;
// Auth, if not nil, contains the authentication information for
// this response. This is only checked and means something for
// credential backends.
Auth auth = 2;
// Response data is a JSON object that must have string keys. For
// secrets, this data is sent down to the user as-is. To store internal
// data that you don't want the user to see, store it in
// Secret.InternalData.
string data = 3;
// Redirect is an HTTP URL to redirect to for further authentication.
// This is only valid for credential backends. This will be blanked
// for any logical backend and ignored.
string redirect = 4;
// Warnings allow operations or backends to return warnings in response
// to user actions without failing the action outright.
repeated string warnings = 5;
// Information for wrapping the response in a cubbyhole
ResponseWrapInfo wrap_info = 6;
// Headers will contain the http headers from the response. This value will
// be used in the audit broker to ensure we are auditing only the allowed
// headers.
map<string, Header> headers = 7;
}
message ResponseWrapInfo {
// Setting to non-zero specifies that the response should be wrapped.
// Specifies the desired TTL of the wrapping token.
int64 TTL = 1;
// The token containing the wrapped response
string token = 2;
// The token accessor for the wrapped response token
string accessor = 3;
// The creation time. This can be used with the TTL to figure out an
// expected expiration.
google.protobuf.Timestamp creation_time = 4;
// If the contained response is the output of a token creation call, the
// created token's accessor will be accessible here
string wrapped_accessor = 5;
// WrappedEntityID is the entity identifier of the caller who initiated the
// wrapping request
string wrapped_entity_id = 6;
// The format to use. This doesn't get returned, it's only internal.
string format = 7;
// CreationPath is the original request path that was used to create
// the wrapped response.
string creation_path = 8;
// Controls seal wrapping behavior downstream for specific use cases
bool seal_wrap = 9;
}
message RequestWrapInfo {
// Setting to non-zero specifies that the response should be wrapped.
// Specifies the desired TTL of the wrapping token.
int64 TTL = 1;
// The format to use for the wrapped response; if not specified it's a bare
// token
string format = 2;
// A flag to conforming backends that data for a given request should be
// seal wrapped
bool seal_wrap = 3;
}
// HandleRequestArgs is the args for HandleRequest method.
message HandleRequestArgs {
uint32 storage_id = 1;
Request request = 2;
}
// HandleRequestReply is the reply for HandleRequest method.
message HandleRequestReply {
Response response = 1;
ProtoError err = 2;
}
// InitializeArgs is the args for Initialize method.
message InitializeArgs {
}
// InitializeReply is the reply for Initialize method.
message InitializeReply {
ProtoError err = 1;
}
// SpecialPathsReply is the reply for SpecialPaths method.
message SpecialPathsReply {
Paths paths = 1;
}
// HandleExistenceCheckArgs is the args for HandleExistenceCheck method.
message HandleExistenceCheckArgs {
uint32 storage_id = 1;
Request request = 2;
}
// HandleExistenceCheckReply is the reply for HandleExistenceCheck method.
message HandleExistenceCheckReply {
bool check_found = 1;
bool exists = 2;
ProtoError err = 3;
}
// SetupArgs is the args for Setup method.
message SetupArgs {
uint32 broker_id = 1;
map<string, string> Config = 2;
string backendUUID = 3;
}
// SetupReply is the reply for Setup method.
message SetupReply {
string err = 1;
}
// TypeReply is the reply for the Type method.
message TypeReply {
uint32 type = 1;
}
message InvalidateKeyArgs {
string key = 1;
}
// Backend is the interface that plugins must satisfy. The plugin should
// implement the server for this service. Requests will first run the
// HandleExistenceCheck rpc then run the HandleRequests rpc.
service Backend {
// HandleRequest is used to handle a request and generate a response.
// The plugins must check the operation type and handle appropriately.
rpc HandleRequest(HandleRequestArgs) returns (HandleRequestReply);
// SpecialPaths is a list of paths that are special in some way.
// See PathType for the types of special paths. The key is the type
// of the special path, and the value is a list of paths for this type.
// This is not a regular expression but is an exact match. If the path
// ends in '*' then it is a prefix-based match. The '*' can only appear
// at the end.
rpc SpecialPaths(Empty) returns (SpecialPathsReply);
// HandleExistenceCheck is used to handle a request and generate a response
// indicating whether the given path exists or not; this is used to
// understand whether the request must have a Create or Update capability
// ACL applied. The first bool indicates whether an existence check
// function was found for the backend; the second indicates whether, if an
// existence check function was found, the item exists or not.
rpc HandleExistenceCheck(HandleExistenceCheckArgs) returns (HandleExistenceCheckReply);
// Cleanup is invoked during an unmount of a backend to allow it to
// handle any cleanup like connection closing or releasing of file handles.
// Cleanup is called right before Vault closes the plugin process.
rpc Cleanup(Empty) returns (Empty);
// InvalidateKey may be invoked when an object is modified that belongs
// to the backend. The backend can use this to clear any caches or reset
// internal state as needed.
rpc InvalidateKey(InvalidateKeyArgs) returns (Empty);
// Setup is used to set up the backend based on the provided backend
// configuration. The plugin's setup implementation should use the provided
// broker_id to create a connection back to Vault for use with the Storage
// and SystemView clients.
rpc Setup(SetupArgs) returns (SetupReply);
// Initialize is invoked just after mounting a backend to allow it to
// handle any initialization tasks that need to be performed.
rpc Initialize(InitializeArgs) returns (InitializeReply);
// Type returns the BackendType for the particular backend
rpc Type(Empty) returns (TypeReply);
}
message StorageEntry {
string key = 1;
bytes value = 2;
bool seal_wrap = 3;
}
message StorageListArgs {
string prefix = 1;
}
message StorageListReply {
repeated string keys = 1;
string err = 2;
}
message StorageGetArgs {
string key = 1;
}
message StorageGetReply {
StorageEntry entry = 1;
string err = 2;
}
message StoragePutArgs {
StorageEntry entry = 1;
}
message StoragePutReply {
string err = 1;
}
message StorageDeleteArgs {
string key = 1;
}
message StorageDeleteReply {
string err = 1;
}
// Storage is the way that plugins are able read/write data. Plugins should
// implement the client for this service.
service Storage {
rpc List(StorageListArgs) returns (StorageListReply);
rpc Get(StorageGetArgs) returns (StorageGetReply);
rpc Put(StoragePutArgs) returns (StoragePutReply);
rpc Delete(StorageDeleteArgs) returns (StorageDeleteReply);
}
message TTLReply {
int64 TTL = 1;
}
message TaintedReply {
bool tainted = 1;
}
message CachingDisabledReply {
bool disabled = 1;
}
message ReplicationStateReply {
int32 state = 1;
}
message ResponseWrapDataArgs {
string data = 1;
int64 TTL = 2;
bool JWT = 3;
}
message ResponseWrapDataReply {
ResponseWrapInfo wrap_info = 1;
string err = 2;
}
message MlockEnabledReply {
bool enabled = 1;
}
message LocalMountReply {
bool local = 1;
}
message EntityInfoArgs {
string entity_id = 1;
}
message EntityInfoReply {
logical.Entity entity = 1;
string err = 2;
}
message GroupsForEntityReply {
repeated logical.Group groups = 1;
string err = 2;
}
message PluginEnvReply {
logical.PluginEnvironment plugin_environment = 1;
string err = 2;
}
message GeneratePasswordFromPolicyRequest {
string policy_name = 1;
}
message GeneratePasswordFromPolicyReply {
string password = 1;
}
// SystemView exposes system configuration information in a safe way for plugins
// to consume. Plugins should implement the client for this service.
service SystemView {
// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
rpc DefaultLeaseTTL(Empty) returns (TTLReply);
// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
// authors should take care not to issue credentials that last longer than
// this value, as Vault will revoke them
rpc MaxLeaseTTL(Empty) returns (TTLReply);
// Tainted, returns true if the mount is tainted. A mount is tainted if it is in the
// process of being unmounted. This should only be used in special
// circumstances; a primary use-case is as a guard in revocation functions.
// If revocation of a backend's leases fails it can keep the unmounting
// process from being successful. If the reason for this failure is not
// relevant when the mount is tainted (for instance, saving a CRL to disk
// when the stored CRL will be removed during the unmounting process
// anyways), we can ignore the errors to allow unmounting to complete.
rpc Tainted(Empty) returns (TaintedReply);
// CachingDisabled returns true if caching is disabled. If true, no caches
// should be used, despite known slowdowns.
rpc CachingDisabled(Empty) returns (CachingDisabledReply);
// ReplicationState indicates the state of cluster replication
rpc ReplicationState(Empty) returns (ReplicationStateReply);
// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
rpc ResponseWrapData(ResponseWrapDataArgs) returns (ResponseWrapDataReply);
// MlockEnabled returns the configuration setting for enabling mlock on
// plugins.
rpc MlockEnabled(Empty) returns (MlockEnabledReply);
// LocalMount, when run from a system view attached to a request, indicates
// whether the request is affecting a local mount or not
rpc LocalMount(Empty) returns (LocalMountReply);
// EntityInfo returns the basic entity information for the given entity id
rpc EntityInfo(EntityInfoArgs) returns (EntityInfoReply);
// PluginEnv returns Vault environment information used by plugins
rpc PluginEnv(Empty) returns (PluginEnvReply);
// GroupsForEntity returns the group membership information for the given
// entity id
rpc GroupsForEntity(EntityInfoArgs) returns (GroupsForEntityReply);
// GeneratePasswordFromPolicy generates a password from an existing password policy
rpc GeneratePasswordFromPolicy(GeneratePasswordFromPolicyRequest) returns (GeneratePasswordFromPolicyReply);
}
message Connection {
// RemoteAddr is the network address that sent the request.
string remote_addr = 1;
}