Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSCT Optimizations (OSS) #14323

Merged
merged 4 commits into from
Mar 1, 2022
Merged

SSCT Optimizations (OSS) #14323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
654d9e2
update ci.hcl to remove 1.6.x and add in 1.10.x
HridoyRoy Feb 28, 2022
abb27ff
SSCT OSS PR review comments and optimizations
HridoyRoy Mar 1, 2022
86ff6f2
Merge branch 'main' into ssct-oss-optimizations
HridoyRoy Mar 1, 2022
dd4d203
check errors in populate token entry calls
HridoyRoy Mar 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion command/login_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func TestLoginCommand_Run(t *testing.T) {
t.Fatal(err)
}

if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l != exp {
if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp {
t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken)
}
})
Expand Down
8 changes: 4 additions & 4 deletions helper/namespace/namespace.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,12 +100,12 @@ func SplitIDFromString(input string) (string, string) {
slashIdx := strings.LastIndex(input, "/")

switch {
case strings.HasPrefix(input, "b."):
prefix = "b."
case strings.HasPrefix(input, consts.LegacyBatchTokenPrefix):
prefix = consts.LegacyBatchTokenPrefix
input = input[2:]

case strings.HasPrefix(input, "s."):
prefix = "s."
case strings.HasPrefix(input, consts.LegacyServiceTokenPrefix):
prefix = consts.LegacyServiceTokenPrefix
input = input[2:]
case strings.HasPrefix(input, consts.BatchTokenPrefix):
prefix = consts.BatchTokenPrefix
Expand Down
42 changes: 33 additions & 9 deletions vault/core_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,10 @@ func TestCore_UseSSCTokenToggleOn(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(ctx, req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
Expand All @@ -202,7 +205,7 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
DisableSSCTokens: true,
}
c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, "s.") {
if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) {
t.Fatalf("token is not an old token type: %s, %d", root, len(root))
}
c.disableSSCTokens = false
Expand All @@ -227,7 +230,10 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(ctx, req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -457,7 +463,10 @@ func TestCore_HandleRequest_Lease(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(ctx, req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -500,7 +509,10 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(ctx, req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -543,7 +555,10 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(ctx, req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1034,7 +1049,10 @@ func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
ClientToken: root,
}
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
t.Fatalf("err: %v", err)
}
Expand Down Expand Up @@ -2087,7 +2105,10 @@ func TestCore_RenewSameLease(t *testing.T) {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -2259,7 +2280,10 @@ path "secret/*" {
// Read the key
req.Operation = logical.ReadOperation
req.Data = nil
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = c.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down
12 changes: 8 additions & 4 deletions vault/expiration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2476,8 +2476,10 @@ func TestExpiration_RevokeForce(t *testing.T) {
Path: "badrenew/creds",
ClientToken: root,
}
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})

err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -2525,8 +2527,10 @@ func TestExpiration_RevokeForceSingle(t *testing.T) {
Path: "badrenew/creds",
ClientToken: root,
}
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})

err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatal(err)
Expand Down
60 changes: 48 additions & 12 deletions vault/logical_system_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1013,7 +1013,10 @@ func TestSystemBackend_leases(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1060,7 +1063,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1109,7 +1115,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
// Generate multiple leases
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand All @@ -1120,7 +1129,10 @@ func TestSystemBackend_leases_list(t *testing.T) {

req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1160,7 +1172,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1208,7 +1223,10 @@ func TestSystemBackend_renew(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1245,7 +1263,10 @@ func TestSystemBackend_renew(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1374,7 +1395,10 @@ func TestSystemBackend_revoke(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1406,7 +1430,10 @@ func TestSystemBackend_revoke(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand All @@ -1429,7 +1456,10 @@ func TestSystemBackend_revoke(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1519,7 +1549,10 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -1568,7 +1601,10 @@ func TestSystemBackend_revokePrefix_origUrl(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down
5 changes: 4 additions & 1 deletion vault/request_handling_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -448,7 +448,10 @@ func TestRequestHandling_SecretLeaseMetric(t *testing.T) {
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down
2 changes: 1 addition & 1 deletion vault/router.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -603,7 +603,7 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc
}

switch {
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, "s.") &&
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, consts.LegacyServiceTokenPrefix) &&
!strings.HasPrefix(req.ClientToken, consts.ServiceTokenPrefix):
// In order for the token store to revoke later, we need to have the same
// salted ID, so we double-salt what's going to the cubbyhole backend
Expand Down
4 changes: 2 additions & 2 deletions vault/token_store.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,7 +898,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
switch {
case strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix):
return fmt.Errorf("custom token ID cannot have the 'hvs.' prefix")
case strings.HasPrefix(entry.ID, "s."):
case strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix):
return fmt.Errorf("custom token ID cannot have the 's.' prefix")
case strings.Contains(entry.ID, "."):
return fmt.Errorf("custom token ID cannot have a '.' in the value")
Expand Down Expand Up @@ -1260,7 +1260,7 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr
}

func (ts *TokenStore) stripBatchPrefix(id string) string {
if strings.HasPrefix(id, "b.") {
if strings.HasPrefix(id, consts.LegacyBatchTokenPrefix) {
return id[2:]
}
if strings.HasPrefix(id, consts.BatchTokenPrefix) {
Expand Down