forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
path_config_tidy_roletag_blacklist.go
151 lines (126 loc) · 4.82 KB
/
path_config_tidy_roletag_blacklist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package awsauth
import (
"context"
"fmt"
"github.com/fatih/structs"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
const (
roletagBlacklistConfigPath = "config/tidy/roletag-blacklist"
)
func pathConfigTidyRoletagBlacklist(b *backend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("%s$", roletagBlacklistConfigPath),
Fields: map[string]*framework.FieldSchema{
"safety_buffer": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Default: 15552000, //180d
Description: `The amount of extra time that must have passed beyond the roletag
expiration, before it is removed from the backend storage.
Defaults to 4320h (180 days).`,
},
"disable_periodic_tidy": &framework.FieldSchema{
Type: framework.TypeBool,
Default: false,
Description: "If set to 'true', disables the periodic tidying of blacklisted entries.",
},
},
ExistenceCheck: b.pathConfigTidyRoletagBlacklistExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: b.pathConfigTidyRoletagBlacklistCreateUpdate,
logical.UpdateOperation: b.pathConfigTidyRoletagBlacklistCreateUpdate,
logical.ReadOperation: b.pathConfigTidyRoletagBlacklistRead,
logical.DeleteOperation: b.pathConfigTidyRoletagBlacklistDelete,
},
HelpSynopsis: pathConfigTidyRoletagBlacklistHelpSyn,
HelpDescription: pathConfigTidyRoletagBlacklistHelpDesc,
}
}
func (b *backend) pathConfigTidyRoletagBlacklistExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
entry, err := b.lockedConfigTidyRoleTags(ctx, req.Storage)
if err != nil {
return false, err
}
return entry != nil, nil
}
func (b *backend) lockedConfigTidyRoleTags(ctx context.Context, s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
b.configMutex.RLock()
defer b.configMutex.RUnlock()
return b.nonLockedConfigTidyRoleTags(ctx, s)
}
func (b *backend) nonLockedConfigTidyRoleTags(ctx context.Context, s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
entry, err := s.Get(ctx, roletagBlacklistConfigPath)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result tidyBlacklistRoleTagConfig
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
return &result, nil
}
func (b *backend) pathConfigTidyRoletagBlacklistCreateUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
configEntry, err := b.nonLockedConfigTidyRoleTags(ctx, req.Storage)
if err != nil {
return nil, err
}
if configEntry == nil {
configEntry = &tidyBlacklistRoleTagConfig{}
}
safetyBufferInt, ok := data.GetOk("safety_buffer")
if ok {
configEntry.SafetyBuffer = safetyBufferInt.(int)
} else if req.Operation == logical.CreateOperation {
configEntry.SafetyBuffer = data.Get("safety_buffer").(int)
}
disablePeriodicTidyBool, ok := data.GetOk("disable_periodic_tidy")
if ok {
configEntry.DisablePeriodicTidy = disablePeriodicTidyBool.(bool)
} else if req.Operation == logical.CreateOperation {
configEntry.DisablePeriodicTidy = data.Get("disable_periodic_tidy").(bool)
}
entry, err := logical.StorageEntryJSON(roletagBlacklistConfigPath, configEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) pathConfigTidyRoletagBlacklistRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
clientConfig, err := b.lockedConfigTidyRoleTags(ctx, req.Storage)
if err != nil {
return nil, err
}
if clientConfig == nil {
return nil, nil
}
return &logical.Response{
Data: structs.New(clientConfig).Map(),
}, nil
}
func (b *backend) pathConfigTidyRoletagBlacklistDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
return nil, req.Storage.Delete(ctx, roletagBlacklistConfigPath)
}
type tidyBlacklistRoleTagConfig struct {
SafetyBuffer int `json:"safety_buffer" structs:"safety_buffer" mapstructure:"safety_buffer"`
DisablePeriodicTidy bool `json:"disable_periodic_tidy" structs:"disable_periodic_tidy" mapstructure:"disable_periodic_tidy"`
}
const pathConfigTidyRoletagBlacklistHelpSyn = `
Configures the periodic tidying operation of the blacklisted role tag entries.
`
const pathConfigTidyRoletagBlacklistHelpDesc = `
By default, the expired entries in the blacklist will be attempted to be removed
periodically. This operation will look for expired items in the list and purges them.
However, there is a safety buffer duration (defaults to 72h), purges the entries
only if they have been persisting this duration, past its expiration time.
`