-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to view and list of leases metadata #2650
Changes from 17 commits
7ba95c8
cc209b1
e0ba238
68681b6
093766d
2e15776
65cedd9
342bebe
ebf24ab
7694708
c3bbe55
585464a
9ac7d8d
54b6bbc
426354b
0223fc8
619cb2e
5577099
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,14 +55,16 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
Root: []string{ | ||
"auth/*", | ||
"remount", | ||
"revoke-prefix/*", | ||
"audit", | ||
"audit/*", | ||
"raw/*", | ||
"replication/primary/secondary-token", | ||
"replication/reindex", | ||
"rotate", | ||
"config/auditing/*", | ||
"leases/revoke-prefix/*", | ||
"revoke-prefix/*", | ||
"leases/lookup/*", | ||
}, | ||
|
||
Unauthenticated: []string{ | ||
|
@@ -299,7 +301,43 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "renew" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "leases/lookup/(?P<prefix>.+?)?", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["leases-list-prefix"][0]), | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.ListOperation: b.handleLeaseLookupList, | ||
}, | ||
|
||
HelpSynopsis: strings.TrimSpace(sysHelp["leases"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["leases"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "leases/lookup", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"lease_id": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["lease_id"][0]), | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.UpdateOperation: b.handleLeaseLookup, | ||
}, | ||
|
||
HelpSynopsis: strings.TrimSpace(sysHelp["leases"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["leases"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "(leases/)?renew" + framework.OptionalParamRegex("url_lease_id"), | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -325,7 +363,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "(leases/)?revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -347,7 +385,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-force/(?P<prefix>.+)", | ||
Pattern: "(leases/)?revoke-force/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -365,7 +403,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-prefix/(?P<prefix>.+)", | ||
Pattern: "(leases/)?revoke-prefix/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -686,6 +724,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
HelpSynopsis: strings.TrimSpace(sysHelp["audited-headers-name"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["audited-headers-name"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "config/auditing/request-headers$", | ||
|
||
|
@@ -1274,6 +1313,61 @@ func (b *SystemBackend) handleTuneWriteCommon( | |
return nil, nil | ||
} | ||
|
||
// handleLease is use to view the metadata for a given LeaseID | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/handleLease/handleLeaseLookup |
||
func (b *SystemBackend) handleLeaseLookup( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
leaseID := data.Get("lease_id").(string) | ||
if leaseID == "" { | ||
return logical.ErrorResponse("lease_id must be specified"), | ||
logical.ErrInvalidRequest | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we have a check for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will do. |
||
leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error retrieving lease", "lease_id", leaseID, "error", err) | ||
return handleError(err) | ||
} | ||
if leaseTimes == nil { | ||
return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we add a comment here explaining why we are setting values to nil beforehand. This will avoid people removing it in future. |
||
resp := &logical.Response{ | ||
Data: map[string]interface{}{ | ||
"id": leaseID, | ||
"issue_time": leaseTimes.IssueTime, | ||
"expire_time": nil, | ||
"last_renewal": nil, | ||
"ttl": int64(0), | ||
}, | ||
} | ||
renewable, _ := leaseTimes.renewable() | ||
resp.Data["renewable"] = renewable | ||
|
||
if !leaseTimes.LastRenewalTime.IsZero() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry for circling around on this. On a second thought, the idea of having fields with default values (like you were doing earlier) does seem like a sensible thing to do too. What might be of concern is that this API will not have deterministic number of response fields. That is okay I guess but I am not sure if that is a problem. Bringing this up so we can all agree on this and move forward. |
||
resp.Data["last_renewal"] = leaseTimes.LastRenewalTime | ||
} | ||
if !leaseTimes.ExpireTime.IsZero() { | ||
resp.Data["expire_time"] = leaseTimes.ExpireTime | ||
resp.Data["ttl"] = leaseTimes.ttl() | ||
} | ||
return resp, nil | ||
} | ||
|
||
func (b *SystemBackend) handleLeaseLookupList( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
prefix := data.Get("prefix").(string) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you add a check to make sure prefix is not There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Empty prefix is valid and will list the top level keys. |
||
if prefix != "" && !strings.HasSuffix(prefix, "/") { | ||
prefix = prefix + "/" | ||
} | ||
|
||
keys, err := b.Core.expiration.idView.List(prefix) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error listing leases", "prefix", prefix, "error", err) | ||
return handleError(err) | ||
} | ||
return logical.ListResponse(keys), nil | ||
} | ||
|
||
// handleRenew is used to renew a lease with a given LeaseID | ||
func (b *SystemBackend) handleRenew( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
|
@@ -2429,4 +2523,22 @@ This path responds to the following HTTP methods. | |
"Lists the headers configured to be audited.", | ||
`Returns a list of headers that have been configured to be audited.`, | ||
}, | ||
|
||
"leases": { | ||
`View or list lease metadata.`, | ||
` | ||
This path responds to the following HTTP methods. | ||
|
||
PUT / | ||
Retrieve the metadata for the provided lease id. | ||
|
||
LIST /<prefix> | ||
Lists the leases for the named prefix. | ||
`, | ||
}, | ||
|
||
"leases-list-prefix": { | ||
`The path to list leases under. Example: "aws/creds/deploy"`, | ||
"", | ||
}, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want this to be a root protected path?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@briankassouf Since
lease/lookup
doesn't return sensitive information (e.g. the contents of internal data) and you have to know the lease ID ahead of time I don't think it needs to be root. In fact, I am actually thinking we may want to add it to thedefault
policy. Listing on the other hand does divulge lease IDs which can be used to e.g. renew them, so that should be root protected.