/
path_tidy_user_id.go
271 lines (228 loc) · 8.61 KB
/
path_tidy_user_id.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
package approle
import (
"context"
"fmt"
"net/http"
"sync/atomic"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/logical"
)
func pathTidySecretID(b *backend) *framework.Path {
return &framework.Path{
Pattern: "tidy/secret-id$",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathTidySecretIDUpdate,
},
HelpSynopsis: pathTidySecretIDSyn,
HelpDescription: pathTidySecretIDDesc,
}
}
// tidySecretID is used to delete entries in the whitelist that are expired.
func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logical.Response, error) {
// If we are a performance standby forward the request to the active node
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
return nil, logical.ErrReadOnly
}
if !atomic.CompareAndSwapUint32(b.tidySecretIDCASGuard, 0, 1) {
resp := &logical.Response{}
resp.AddWarning("Tidy operation already in progress.")
return resp, nil
}
go b.tidySecretIDinternal(req.Storage)
resp := &logical.Response{}
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
}
type tidyHelperSecretIDAccessor struct {
secretIDAccessorStorageEntry
saltedSecretIDAccessor string
}
func (b *backend) tidySecretIDinternal(s logical.Storage) {
defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)
logger := b.Logger().Named("tidy")
checkCount := 0
defer func() {
logger.Trace("done checking entries", "num_entries", checkCount)
}()
// Don't cancel when the original client request goes away
ctx := context.Background()
salt, err := b.Salt(ctx)
if err != nil {
logger.Error("error tidying secret IDs", "error", err)
return
}
tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {
logger.Trace("listing accessors", "prefix", accessorIDPrefixToUse)
// List all the accessors and add them all to a map
// These hashes are the result of salting the accessor id.
accessorHashes, err := s.List(ctx, accessorIDPrefixToUse)
if err != nil {
return err
}
skipHashes := make(map[string]bool, len(accessorHashes))
accHashesByLockID := make([][]tidyHelperSecretIDAccessor, 256)
for _, accessorHash := range accessorHashes {
var entry secretIDAccessorStorageEntry
entryIndex := accessorIDPrefixToUse + accessorHash
se, err := s.Get(ctx, entryIndex)
if err != nil {
return err
}
if se == nil {
continue
}
err = se.DecodeJSON(&entry)
if err != nil {
return err
}
lockIdx := locksutil.LockIndexForKey(entry.SecretIDHMAC)
accHashesByLockID[lockIdx] = append(accHashesByLockID[lockIdx], tidyHelperSecretIDAccessor{
secretIDAccessorStorageEntry: entry,
saltedSecretIDAccessor: accessorHash,
})
}
secretIDCleanupFunc := func(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse string) error {
checkCount++
lock := b.secretIDLock(secretIDHMAC)
lock.Lock()
defer lock.Unlock()
entryIndex := fmt.Sprintf("%s%s%s", secretIDPrefixToUse, roleNameHMAC, secretIDHMAC)
secretIDEntry, err := s.Get(ctx, entryIndex)
if err != nil {
return errwrap.Wrapf(fmt.Sprintf("error fetching SecretID %q: {{err}}", secretIDHMAC), err)
}
if secretIDEntry == nil {
logger.Error("entry for secret id was nil", "secret_id_hmac", secretIDHMAC)
return nil
}
if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 {
return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)
}
var result secretIDStorageEntry
if err := secretIDEntry.DecodeJSON(&result); err != nil {
return err
}
// If a secret ID entry does not have a corresponding accessor
// entry, revoke the secret ID immediately
accessorEntry, err := b.secretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
if err != nil {
return errwrap.Wrapf("failed to read secret ID accessor entry: {{err}}", err)
}
if accessorEntry == nil {
logger.Trace("found nil accessor")
if err := s.Delete(ctx, entryIndex); err != nil {
return errwrap.Wrapf(fmt.Sprintf("error deleting secret ID %q from storage: {{err}}", secretIDHMAC), err)
}
return nil
}
// ExpirationTime not being set indicates non-expiring SecretIDs
if !result.ExpirationTime.IsZero() && time.Now().After(result.ExpirationTime) {
logger.Trace("found expired secret ID")
// Clean up the accessor of the secret ID first
err = b.deleteSecretIDAccessorEntry(ctx, s, result.SecretIDAccessor, secretIDPrefixToUse)
if err != nil {
return errwrap.Wrapf("failed to delete secret ID accessor entry: {{err}}", err)
}
if err := s.Delete(ctx, entryIndex); err != nil {
return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
}
return nil
}
// At this point, the secret ID is not expired and is valid. Flag
// the corresponding accessor as not needing attention.
skipHashes[salt.SaltID(result.SecretIDAccessor)] = true
return nil
}
logger.Trace("listing role HMACs", "prefix", secretIDPrefixToUse)
roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)
if err != nil {
return err
}
for _, roleNameHMAC := range roleNameHMACs {
logger.Trace("listing secret ID HMACs", "role_hmac", roleNameHMAC)
secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))
if err != nil {
return err
}
for _, secretIDHMAC := range secretIDHMACs {
err = secretIDCleanupFunc(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse)
if err != nil {
return err
}
}
}
// Accessor indexes were not getting cleaned up until 0.9.3. This is a fix
// to clean up the dangling accessor entries.
if len(accessorHashes) > len(skipHashes) {
// There is some raciness here because we're querying secretids for
// roles without having a lock while doing so. Because
// accHashesByLockID was populated previously, at worst this may
// mean that we fail to clean up something we ought to.
var allSecretIDHMACs = make(map[string]struct{})
for _, roleNameHMAC := range roleNameHMACs {
secretIDHMACs, err := s.List(ctx, secretIDPrefixToUse+roleNameHMAC)
if err != nil {
return err
}
for _, v := range secretIDHMACs {
allSecretIDHMACs[v] = struct{}{}
}
}
tidyEntries := func(entries []tidyHelperSecretIDAccessor) error {
for _, entry := range entries {
// Don't clean up accessor index entry if secretid cleanup func
// determined that it should stay.
if _, ok := skipHashes[entry.saltedSecretIDAccessor]; ok {
continue
}
// Don't clean up accessor index entry if referenced in role.
if _, ok := allSecretIDHMACs[entry.SecretIDHMAC]; ok {
continue
}
if err := s.Delete(context.Background(), accessorIDPrefixToUse+entry.saltedSecretIDAccessor); err != nil {
return err
}
}
return nil
}
for lockIdx, entries := range accHashesByLockID {
// Ideally, locking on accessors should be performed here too
// but for that, accessors are required in plaintext, which are
// not available.
// ...
// The lock is held when writing accessor/secret so if we have
// the lock we know we're not in a
// wrote-accessor-but-not-yet-secret case, which can be racy.
b.secretIDLocks[lockIdx].Lock()
err = tidyEntries(entries)
b.secretIDLocks[lockIdx].Unlock()
if err != nil {
return err
}
}
}
return nil
}
err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
if err != nil {
logger.Error("error tidying global secret IDs", "error", err)
return
}
err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
if err != nil {
logger.Error("error tidying local secret IDs", "error", err)
return
}
}
// pathTidySecretIDUpdate is used to delete the expired SecretID entries
func (b *backend) pathTidySecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.tidySecretID(ctx, req)
}
const pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."
const pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
of the backend will look for expired entries and delete them. This happens once in a minute. Invoking
this endpoint will trigger the clean-up action, without waiting for the backend's periodic function.`