-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to view and list of leases metadata #2650
Changes from all commits
7ba95c8
cc209b1
e0ba238
68681b6
093766d
2e15776
65cedd9
342bebe
ebf24ab
7694708
c3bbe55
585464a
9ac7d8d
54b6bbc
426354b
0223fc8
619cb2e
5577099
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,14 +55,17 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
Root: []string{ | ||
"auth/*", | ||
"remount", | ||
"revoke-prefix/*", | ||
"audit", | ||
"audit/*", | ||
"raw/*", | ||
"replication/primary/secondary-token", | ||
"replication/reindex", | ||
"rotate", | ||
"config/auditing/*", | ||
"revoke-prefix/*", | ||
"leases/revoke-prefix/*", | ||
"leases/revoke-force/*", | ||
"leases/lookup/*", | ||
}, | ||
|
||
Unauthenticated: []string{ | ||
|
@@ -299,7 +302,43 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "renew" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "leases/lookup/(?P<prefix>.+?)?", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["leases-list-prefix"][0]), | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.ListOperation: b.handleLeaseLookupList, | ||
}, | ||
|
||
HelpSynopsis: strings.TrimSpace(sysHelp["leases"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["leases"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "leases/lookup", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"lease_id": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["lease_id"][0]), | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.UpdateOperation: b.handleLeaseLookup, | ||
}, | ||
|
||
HelpSynopsis: strings.TrimSpace(sysHelp["leases"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["leases"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "(leases/)?renew" + framework.OptionalParamRegex("url_lease_id"), | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -325,7 +364,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "(leases/)?revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -347,7 +386,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-force/(?P<prefix>.+)", | ||
Pattern: "(leases/)?revoke-force/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -365,7 +404,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-prefix/(?P<prefix>.+)", | ||
Pattern: "(leases/)?revoke-prefix/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -686,6 +725,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
HelpSynopsis: strings.TrimSpace(sysHelp["audited-headers-name"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["audited-headers-name"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "config/auditing/request-headers$", | ||
|
||
|
@@ -1274,6 +1314,61 @@ func (b *SystemBackend) handleTuneWriteCommon( | |
return nil, nil | ||
} | ||
|
||
// handleLease is use to view the metadata for a given LeaseID | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/handleLease/handleLeaseLookup |
||
func (b *SystemBackend) handleLeaseLookup( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
leaseID := data.Get("lease_id").(string) | ||
if leaseID == "" { | ||
return logical.ErrorResponse("lease_id must be specified"), | ||
logical.ErrInvalidRequest | ||
} | ||
|
||
leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error retrieving lease", "lease_id", leaseID, "error", err) | ||
return handleError(err) | ||
} | ||
if leaseTimes == nil { | ||
return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we add a comment here explaining why we are setting values to nil beforehand. This will avoid people removing it in future. |
||
resp := &logical.Response{ | ||
Data: map[string]interface{}{ | ||
"id": leaseID, | ||
"issue_time": leaseTimes.IssueTime, | ||
"expire_time": nil, | ||
"last_renewal": nil, | ||
"ttl": int64(0), | ||
}, | ||
} | ||
renewable, _ := leaseTimes.renewable() | ||
resp.Data["renewable"] = renewable | ||
|
||
if !leaseTimes.LastRenewalTime.IsZero() { | ||
resp.Data["last_renewal"] = leaseTimes.LastRenewalTime | ||
} | ||
if !leaseTimes.ExpireTime.IsZero() { | ||
resp.Data["expire_time"] = leaseTimes.ExpireTime | ||
resp.Data["ttl"] = leaseTimes.ttl() | ||
} | ||
return resp, nil | ||
} | ||
|
||
func (b *SystemBackend) handleLeaseLookupList( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
prefix := data.Get("prefix").(string) | ||
if prefix != "" && !strings.HasSuffix(prefix, "/") { | ||
prefix = prefix + "/" | ||
} | ||
|
||
keys, err := b.Core.expiration.idView.List(prefix) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error listing leases", "prefix", prefix, "error", err) | ||
return handleError(err) | ||
} | ||
return logical.ListResponse(keys), nil | ||
} | ||
|
||
// handleRenew is used to renew a lease with a given LeaseID | ||
func (b *SystemBackend) handleRenew( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
|
@@ -2429,4 +2524,22 @@ This path responds to the following HTTP methods. | |
"Lists the headers configured to be audited.", | ||
`Returns a list of headers that have been configured to be audited.`, | ||
}, | ||
|
||
"leases": { | ||
`View or list lease metadata.`, | ||
` | ||
This path responds to the following HTTP methods. | ||
|
||
PUT / | ||
Retrieve the metadata for the provided lease id. | ||
|
||
LIST /<prefix> | ||
Lists the leases for the named prefix. | ||
`, | ||
}, | ||
|
||
"leases-list-prefix": { | ||
`The path to list leases under. Example: "aws/creds/deploy"`, | ||
"", | ||
}, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want this to be a root protected path?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@briankassouf Since
lease/lookup
doesn't return sensitive information (e.g. the contents of internal data) and you have to know the lease ID ahead of time I don't think it needs to be root. In fact, I am actually thinking we may want to add it to thedefault
policy. Listing on the other hand does divulge lease IDs which can be used to e.g. renew them, so that should be root protected.