-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
logical_system_helpers.go
141 lines (118 loc) · 4.27 KB
/
logical_system_helpers.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package vault
import (
"context"
"errors"
"fmt"
"strings"
"time"
memdb "github.com/hashicorp/go-memdb"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
var (
invalidateMFAConfig = func(context.Context, *SystemBackend, string) {}
sysInvalidate = func(b *SystemBackend) func(context.Context, string) {
return nil
}
getSystemSchemas = func() []func() *memdb.TableSchema { return nil }
getEGPListResponseKeyInfo = func(*SystemBackend, *namespace.Namespace) map[string]interface{} { return nil }
addSentinelPolicyData = func(map[string]interface{}, *Policy) {}
inputSentinelPolicyData = func(*framework.FieldData, *Policy) *logical.Response { return nil }
controlGroupUnwrap = func(context.Context, *SystemBackend, string, bool) (string, error) {
return "", errors.New("control groups unavailable")
}
pathInternalUINamespacesRead = func(b *SystemBackend) framework.OperationFunc {
return func(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
// Short-circuit here if there's no client token provided
if req.ClientToken == "" {
return nil, fmt.Errorf("client token empty")
}
// Load the ACL policies so we can check for access and filter namespaces
_, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
if err != nil {
return nil, err
}
if entity != nil && entity.Disabled {
b.logger.Warn("permission denied as the entity on the token is disabled")
return nil, logical.ErrPermissionDenied
}
if te != nil && te.EntityID != "" && entity == nil {
b.logger.Warn("permission denied as the entity on the token is invalid")
return nil, logical.ErrPermissionDenied
}
return logical.ListResponse([]string{""}), nil
}
}
pathLicenseRead = func(b *SystemBackend) framework.OperationFunc {
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
return nil, nil
}
}
pathLicenseUpdate = func(b *SystemBackend) framework.OperationFunc {
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
return nil, nil
}
}
entPaths = func(b *SystemBackend) []*framework.Path {
return []*framework.Path{
{
Pattern: "replication/status",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
resp := &logical.Response{
Data: map[string]interface{}{
"mode": "disabled",
},
}
return resp, nil
},
},
},
}
}
handleGlobalPluginReload = func(context.Context, *Core, string, string, []string) error {
return nil
}
handleSetupPluginReload = func(*Core) error {
return nil
}
checkRaw = func(b *SystemBackend, path string) error { return nil }
)
// tuneMount is used to set config on a mount point
func (b *SystemBackend) tuneMountTTLs(ctx context.Context, path string, me *MountEntry, newDefault, newMax time.Duration) error {
zero := time.Duration(0)
switch {
case newDefault == zero && newMax == zero:
// No checks needed
case newDefault == zero && newMax != zero:
// No default/max conflict, no checks needed
case newDefault != zero && newMax == zero:
// No default/max conflict, no checks needed
case newDefault != zero && newMax != zero:
if newMax < newDefault {
return fmt.Errorf("backend max lease TTL of %d would be less than backend default lease TTL of %d", int(newMax.Seconds()), int(newDefault.Seconds()))
}
}
origMax := me.Config.MaxLeaseTTL
origDefault := me.Config.DefaultLeaseTTL
me.Config.MaxLeaseTTL = newMax
me.Config.DefaultLeaseTTL = newDefault
// Update the mount table
var err error
switch {
case strings.HasPrefix(path, credentialRoutePrefix):
err = b.Core.persistAuth(ctx, b.Core.auth, &me.Local)
default:
err = b.Core.persistMounts(ctx, b.Core.mounts, &me.Local)
}
if err != nil {
me.Config.MaxLeaseTTL = origMax
me.Config.DefaultLeaseTTL = origDefault
return fmt.Errorf("failed to update mount table, rolling back TTL changes")
}
if b.Core.logger.IsInfo() {
b.Core.logger.Info("mount tuning of leases successful", "path", path)
}
return nil
}