Feature Active Directory credential checkout (#55)

* change readConfig from a method to a function (#39) * Add storage handler (#41) * add storage handler * changes from feedback * add validateInputs func and tests * fix comment indentation * comment all exported items * fix comment indentation * Add password handler (#43) * add password handler * add ErrNotFound * fix build ooms (#46) * Add reserve API endpoints (#47) * fix test edits that were for debugging (#48) * Add checkout status endpoint (#50) * add checkout status endpoint * only return the available field if its checked in * order imports * Add enforcement toggle (#49) * add enforcement toggle * add more tests * replace lending period with ttl and max ttl (#51) * Rename reserve to set (#52) * rename reserve to set * update test err * remove dupe ttl lines * Add check-out, check-in, renewal, revocation, and race protection (#53) * flatten check-out handler (#54) * finish replacing Reserve with Set * Fixes from testing (#56) * error loudly on unauthorized check-ins * 400 when check-outs are unavailable * make check-ins an empty array when none are executed * dont error if someone tries to check in an account already in * Update plugin/path_checkouts.go Co-Authored-By: Jim Kalafut <[email protected]> * log and count when check-outs are unavailable (#57)
hashicorp · Oct 10, 2019 · 7abbf39 · 7abbf39
1 parent 0f2fd53
commit 7abbf39
Show file tree

Hide file tree

Showing 31 changed files with 3,360 additions and 32 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -11,11 +11,11 @@ jobs:
         command: |
           echo 'export GO111MODULE=on' >> $BASH_ENV
     - run:
-        name: "Run Tests"
-        command: go test -v ./...
+        name: "Run All Tests with Race Detection"
+        command: make testrace
     - run:
         name: "Install Gox"
         command: go get github.com/mitchellh/gox
     - run:
         name: "Run Build"
-        command: ./scripts/build.sh
+        command: make dev
diff --git a/Makefile b/Makefile
@@ -19,12 +19,12 @@ dev: fmtcheck generate
 	@CGO_ENABLED=0 BUILD_TAGS='$(BUILD_TAGS)' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'"
 
 # testshort runs the quick unit tests and vets the code
-testshort: fmtcheck generate
+test: fmtcheck generate
 	CGO_ENABLED=0 VAULT_TOKEN= VAULT_ACC= go test -v -short -tags='$(BUILD_TAGS)' $(TEST) $(TESTARGS) -count=1 -timeout=20m -parallel=4
 
 # test runs the unit tests and vets the code
-test: fmtcheck generate
-	CGO_ENABLED=0 VAULT_TOKEN= VAULT_ACC= go test -v -tags='$(BUILD_TAGS)' $(TEST) $(TESTARGS) -count=1 -timeout=20m -parallel=4
+testrace: fmtcheck generate
+	CGO_ENABLED=1 VAULT_TOKEN= VAULT_ACC= go test -race -v -tags='$(BUILD_TAGS)' $(TEST) $(TESTARGS) -count=1 -timeout=20m -parallel=4
 
 testcompile: fmtcheck generate
 	@for pkg in $(TEST) ; do \

diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/hashicorp/vault-plugin-secrets-ad
 go 1.12
 
 require (
+	github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da
 	github.com/go-errors/errors v1.0.1
 	github.com/go-ldap/ldap v3.0.2+incompatible
 	github.com/hashicorp/go-hclog v0.8.0

diff --git a/go.sum b/go.sum
@@ -1,5 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26FmByPp2eC2qla6E1Tw+scpcg/to=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

diff --git a/plugin/backend.go b/plugin/backend.go
@@ -8,13 +8,16 @@ import (
 	"github.com/hashicorp/vault-plugin-secrets-ad/plugin/client"
 	"github.com/hashicorp/vault-plugin-secrets-ad/plugin/util"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/patrickmn/go-cache"
 )
 
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
 	backend := newBackend(util.NewSecretsClient(conf.Logger))
-	backend.Setup(ctx, conf)
+	if err := backend.Setup(ctx, conf); err != nil {
+		return nil, err
+	}
 	return backend, nil
 }
 
@@ -24,6 +27,10 @@ func newBackend(client secretsClient) *backend {
 		roleCache:      cache.New(roleCacheExpiration, roleCacheCleanup),
 		credCache:      cache.New(credCacheExpiration, credCacheCleanup),
 		rotateRootLock: new(int32),
+		checkOutHandler: &checkOutHandler{
+			client: client,
+		},
+		checkOutLocks: locksutil.CreateLocks(),
 	}
 	adBackend.Backend = &framework.Backend{
 		Help: backendHelp,
@@ -33,6 +40,14 @@ func newBackend(client secretsClient) *backend {
 			adBackend.pathListRoles(),
 			adBackend.pathCreds(),
 			adBackend.pathRotateCredentials(),
+
+			// The following paths are for AD credential checkout.
+			adBackend.pathSetCheckIn(),
+			adBackend.pathSetManageCheckIn(),
+			adBackend.pathSetCheckOut(),
+			adBackend.pathSetStatus(),
+			adBackend.pathSets(),
+			adBackend.pathListSets(),
 		},
 		PathsSpecial: &logical.Paths{
 			SealWrapStorage: []string{
@@ -42,19 +57,27 @@ func newBackend(client secretsClient) *backend {
 		},
 		Invalidate:  adBackend.Invalidate,
 		BackendType: logical.TypeLogical,
+		Secrets: []*framework.Secret{
+			adBackend.secretAccessKeys(),
+		},
 	}
 	return adBackend
 }
 
 type backend struct {
-	logical.Backend
+	*framework.Backend
 
 	client secretsClient
 
 	roleCache      *cache.Cache
 	credCache      *cache.Cache
 	credLock       sync.Mutex
 	rotateRootLock *int32
+
+	checkOutHandler *checkOutHandler
+	// checkOutLocks are used for avoiding races
+	// when working with sets through the check-out system.
+	checkOutLocks []*locksutil.LockEntry
 }
 
 func (b *backend) Invalidate(ctx context.Context, key string) {