/
path_tidy_identity_accesslist.go
127 lines (102 loc) · 4.09 KB
/
path_tidy_identity_accesslist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package awsauth
import (
"context"
"fmt"
"net/http"
"sync/atomic"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
)
func (b *backend) pathTidyIdentityAccessList() *framework.Path {
return &framework.Path{
Pattern: "tidy/identity-accesslist$",
Fields: map[string]*framework.FieldSchema{
"safety_buffer": {
Type: framework.TypeDurationSecond,
Default: 259200,
Description: `The amount of extra time that must have passed beyond the identity's
expiration, before it is removed from the backend storage.`,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathTidyIdentityAccessListUpdate,
},
},
HelpSynopsis: pathTidyIdentityAccessListSyn,
HelpDescription: pathTidyIdentityAccessListDesc,
}
}
// tidyAccessListIdentity is used to delete entries in the access list that are expired.
func (b *backend) tidyAccessListIdentity(ctx context.Context, req *logical.Request, safetyBuffer int) (*logical.Response, error) {
// If we are a performance standby forward the request to the active node
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
return nil, logical.ErrReadOnly
}
if !atomic.CompareAndSwapUint32(b.tidyAccessListCASGuard, 0, 1) {
resp := &logical.Response{}
resp.AddWarning("Tidy operation already in progress.")
return resp, nil
}
s := req.Storage
go func() {
defer atomic.StoreUint32(b.tidyAccessListCASGuard, 0)
// Don't cancel when the original client request goes away
ctx = context.Background()
logger := b.Logger().Named("wltidy")
bufferDuration := time.Duration(safetyBuffer) * time.Second
doTidy := func() error {
identities, err := s.List(ctx, identityAccessListStorage)
if err != nil {
return err
}
for _, instanceID := range identities {
identityEntry, err := s.Get(ctx, identityAccessListStorage+instanceID)
if err != nil {
return errwrap.Wrapf(fmt.Sprintf("error fetching identity of instanceID %q: {{err}}", instanceID), err)
}
if identityEntry == nil {
return fmt.Errorf("identity entry for instanceID %q is nil", instanceID)
}
if identityEntry.Value == nil || len(identityEntry.Value) == 0 {
return fmt.Errorf("found identity entry for instanceID %q but actual identity is empty", instanceID)
}
var result accessListIdentity
if err := identityEntry.DecodeJSON(&result); err != nil {
return err
}
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, identityAccessListStorage+instanceID); err != nil {
return errwrap.Wrapf(fmt.Sprintf("error deleting identity of instanceID %q from storage: {{err}}", instanceID), err)
}
}
}
return nil
}
if err := doTidy(); err != nil {
logger.Error("error running access list tidy", "error", err)
return
}
}()
resp := &logical.Response{}
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
}
// pathTidyIdentityAccessListUpdate is used to delete entries in the access list that are expired.
func (b *backend) pathTidyIdentityAccessListUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return b.tidyAccessListIdentity(ctx, req, data.Get("safety_buffer").(int))
}
const pathTidyIdentityAccessListSyn = `
Clean-up the access list instance identity entries.
`
const pathTidyIdentityAccessListDesc = `
When an instance identity is in the access list, the expiration time of the access list
entry is set based on the maximum 'max_ttl' value set on: the role, the role tag
and the backend's mount.
When this endpoint is invoked, all the entries that are expired will be deleted.
A 'safety_buffer' (duration in seconds) can be provided, to ensure deletion of
only those entries that are expired before 'safety_buffer' seconds.
`