-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
path_tidy_roletag_denylist.go
130 lines (104 loc) · 3.84 KB
/
path_tidy_roletag_denylist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package awsauth
import (
"context"
"fmt"
"net/http"
"sync/atomic"
"time"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
)
const (
denyListRoletagStorage = "blacklist/roletag/"
)
func (b *backend) pathTidyRoletagDenyList() *framework.Path {
return &framework.Path{
Pattern: "tidy/roletag-denylist$",
Fields: map[string]*framework.FieldSchema{
"safety_buffer": {
Type: framework.TypeDurationSecond,
Default: 259200, // 72h
Description: `The amount of extra time that must have passed beyond the roletag
expiration, before it is removed from the backend storage.`,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathTidyRoletagDenylistUpdate,
},
},
HelpSynopsis: pathTidyRoletagDenylistSyn,
HelpDescription: pathTidyRoletagDenylistDesc,
}
}
// tidyDenyListRoleTag is used to clean-up the entries in the role tag deny list.
func (b *backend) tidyDenyListRoleTag(ctx context.Context, req *logical.Request, safetyBuffer int) (*logical.Response, error) {
// If we are a performance standby forward the request to the active node
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
return nil, logical.ErrReadOnly
}
if !atomic.CompareAndSwapUint32(b.tidyDenyListCASGuard, 0, 1) {
resp := &logical.Response{}
resp.AddWarning("Tidy operation already in progress.")
return resp, nil
}
s := req.Storage
go func() {
defer atomic.StoreUint32(b.tidyDenyListCASGuard, 0)
// Don't cancel when the original client request goes away
ctx = context.Background()
logger := b.Logger().Named("bltidy")
bufferDuration := time.Duration(safetyBuffer) * time.Second
doTidy := func() error {
tags, err := s.List(ctx, denyListRoletagStorage)
if err != nil {
return err
}
for _, tag := range tags {
tagEntry, err := s.Get(ctx, denyListRoletagStorage+tag)
if err != nil {
return fmt.Errorf("error fetching tag %q: %w", tag, err)
}
if tagEntry == nil {
return fmt.Errorf("tag entry for tag %q is nil", tag)
}
if tagEntry.Value == nil || len(tagEntry.Value) == 0 {
return fmt.Errorf("found entry for tag %q but actual tag is empty", tag)
}
var result roleTagBlacklistEntry
if err := tagEntry.DecodeJSON(&result); err != nil {
return err
}
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, denyListRoletagStorage+tag); err != nil {
return fmt.Errorf("error deleting tag %q from storage: %w", tag, err)
}
}
}
return nil
}
if err := doTidy(); err != nil {
logger.Error("error running deny list tidy", "error", err)
return
}
}()
resp := &logical.Response{}
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
}
// pathTidyRoletagDenylistUpdate is used to clean-up the entries in the role tag deny list.
func (b *backend) pathTidyRoletagDenylistUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.tidyDenyListRoleTag(ctx, req, data.Get("safety_buffer").(int))
}
const pathTidyRoletagDenylistSyn = `
Clean-up the deny list role tag entries.
`
const pathTidyRoletagDenylistDesc = `
When a role tag is deny listed, the expiration time of the deny list entry is
set based on the maximum 'max_ttl' value set on: the role, the role tag and the
backend's mount.
When this endpoint is invoked, all the entries that are expired will be deleted.
A 'safety_buffer' (duration in seconds) can be provided, to ensure deletion of
only those entries that are expired before 'safety_buffer' seconds.
`