hashicorp · briankassouf · Jul 5, 2019 · Jun 30, 2019 · Jun 30, 2019 · Jun 30, 2019
diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go
@@ -35,7 +35,7 @@ type backend struct {
 	configMutex sync.RWMutex
 
 	// Lock to make changes to role entries
-	roleMutex sync.RWMutex
+	roleMutex sync.Mutex
 
 	// Lock to make changes to the blacklist entries
 	blacklistMutex sync.RWMutex
@@ -134,8 +134,9 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 			pathIdentityWhitelist(b),
 			pathTidyIdentityWhitelist(b),
 		},
-		Invalidate:  b.invalidate,
-		BackendType: logical.TypeCredential,
+		Invalidate:     b.invalidate,
+		InitializeFunc: b.initialize,
+		BackendType:    logical.TypeCredential,
 	}
 
 	return b, nil

diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go
@@ -14,10 +14,15 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
+	hclog "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
+	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
 )
 
 const testVaultHeaderValue = "VaultAcceptanceTesting"
@@ -1813,3 +1818,45 @@ func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Reques
 
 	return renewReq
 }
+
+func TestBackend_E2E_Initialize(t *testing.T) {
+
+	// TODO: All this test does is load up the aws plugin, so that if we are in
+	// verbose mode we can observe in the log output that the initialization
+	// process ran:
+	//
+	//    go test -v ./builtin/credential/aws/ -run TestBackend_E2E_Initialize
+	//
+	// We need to modify this test so that it:
+	//     loads the plugin
+	//     writes some roles
+	//     "downgrades"the roles manually by directly modifying storage
+	//     somehow re-triggers an Initialize(), which will upgrade the roles
+	//     read from storage to confirm that the roles are upgraded
+	//     read from storage to confirm that the 'config/version' entry is there
+
+	// set up a test cluster
+	logger := logging.NewVaultLogger(hclog.Trace)
+	coreConfig := &vault.CoreConfig{
+		Logger: logger,
+		CredentialBackends: map[string]logical.Factory{
+			"aws": Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		NumCores:    1,
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	vault.TestWaitActive(t, cluster.Cores[0].Core)
+	client := cluster.Cores[0].Client
+
+	// load the auth plugin
+	if err := client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{
+		Type: "aws",
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws/path_role.go
@@ -319,6 +319,126 @@ func (b *backend) setRole(ctx context.Context, s logical.Storage, roleName strin
 	return nil
 }
 
+// initialize is used to initialize the AWS roles
+func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error {
+
+	// on standbys and DR secondaries we do not want to run any kind of upgrade logic
+	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby | consts.ReplicationDRSecondary) {
+		return nil
+	}
+
+	// Initialize only if we are either:
+	//   (1) A local mount.
+	//   (2) Are _NOT_ a replicated performance secondary
+	if b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) {
+
+		s := req.Storage
+
+		logger := b.Logger().Named("initialize")
+		logger.Info("starting initialization")
+
+		go func() {
+			// The vault will become unsealed while this goroutine is running,
+			// so we could see some role requests block until the lock is
+			// released.  However we'd rather see those requests block (and
+			// potentially start timing out) than allow a non-upgraded role to
+			// be fetched.
+			b.roleMutex.Lock()
+			defer b.roleMutex.Unlock()
+
+			upgraded, err := b.upgrade(ctx, s)
+			if err != nil {
+				logger.Error("error running initialization", "error", err)
+				return
+			}
+			if upgraded {
+				logger.Info("an upgrade was performed during initialization")
+			}
+		}()
+
+	}
+
+	return nil
+}
+
+// awsVersion stores info about the the latest aws version that we have
+// upgraded to.
+type awsVersion struct {
+	RoleVersion int `json:"role_verison"`
+}
+
+// upgrade does an upgrade, if necessary
+func (b *backend) upgrade(ctx context.Context, s logical.Storage) (bool, error) {
+
+	entry, err := s.Get(ctx, "config/version")
+	if err != nil {
+		return false, err
+	}
+	var version awsVersion
+	if entry == nil {
+		version.RoleVersion = 0
+	} else {
+		err = entry.DecodeJSON(&version)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	switch version.RoleVersion {
+	case 0:
+		fallthrough
+	case 1:
+		fallthrough
+	case 2:
+		err = b.upgradeRoles(ctx, s)
+		if err != nil {
+			return false, err
+		}
+	case currentRoleStorageVersion:
+		return false, nil
+
+	default:
+		return false, fmt.Errorf("unrecognized role version: %d", version.RoleVersion)
+	}
+
+	// save the current version
+	rsv := awsVersion{RoleVersion: currentRoleStorageVersion}
+	entry, err = logical.StorageEntryJSON("config/version", &rsv)
+	if err != nil {
+		return false, err
+	}
+	err = s.Put(ctx, entry)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+// upgradeRoles upgrades the various aws roles
+func (b *backend) upgradeRoles(ctx context.Context, s logical.Storage) error {
+
+	// Read all the role names.
+	roleNames, err := s.List(ctx, "role/")
+	if err != nil {
+		return err
+	}
+
+	// Upgrade the roles as necessary.
+	for _, roleName := range roleNames {
+		// make sure the context hasn't been canceled
+		if ctx.Err() != nil {
+			return err
+		}
+		_, err := b.roleInternal(ctx, s, roleName)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // If needed, updates the role entry and returns a bool indicating if it was updated
 // (and thus needs to be persisted)
 func (b *backend) upgradeRole(ctx context.Context, s logical.Storage, roleEntry *awsRoleEntry) (bool, error) {

diff --git a/builtin/credential/aws/path_role_test.go b/builtin/credential/aws/path_role_test.go
@@ -809,6 +809,183 @@ func TestRoleEntryUpgradeV(t *testing.T) {
 	}
 }
 
+func TestRoleInitialize(t *testing.T) {
+
+	config := logical.TestBackendConfig()
+	storage := &logical.InmemStorage{}
+	config.StorageView = storage
+	b, err := Backend(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx := context.Background()
+	err = b.Setup(ctx, config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// create some role entries, some of which will need to be upgraded
+	type testData struct {
+		name  string
+		entry *awsRoleEntry
+	}
+
+	before := []testData{
+		{
+			name: "role1",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000001:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000001:instance-profile/my_profile-prefix"},
+				Version:                     1,
+			},
+		},
+		{
+			name: "role2",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000002:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000002:instance-profile/my_profile-prefix"},
+				Version:                     2,
+			},
+		},
+		{
+			name: "role3",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000003:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000003:instance-profile/my_profile-prefix"},
+				Version:                     currentRoleStorageVersion,
+			},
+		},
+	}
+
+	// put the entries in storage
+	for _, role := range before {
+		err = b.setRole(ctx, storage, role.name, role.entry)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// upgrade all the entries
+	upgraded, err := b.upgrade(ctx, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !upgraded {
+		t.Fatalf("expected upgrade")
+	}
+
+	// read the entries from storage
+	after := make([]testData, 0)
+	names, err := storage.List(ctx, "role/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, name := range names {
+		entry, err := b.role(ctx, storage, name)
+		if err != nil {
+			t.Fatal(err)
+		}
+		after = append(after, testData{name: name, entry: entry})
+	}
+
+	// make sure each entry is at the current version
+	expected := []testData{
+		{
+			name: "role1",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000001:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000001:instance-profile/my_profile-prefix"},
+				Version:                     currentRoleStorageVersion,
+			},
+		},
+		{
+			name: "role2",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000002:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000002:instance-profile/my_profile-prefix"},
+				Version:                     currentRoleStorageVersion,
+			},
+		},
+		{
+			name: "role3",
+			entry: &awsRoleEntry{
+				BoundIamRoleARNs:            []string{"arn:aws:iam::000000000003:role/my_role_prefix"},
+				BoundIamInstanceProfileARNs: []string{"arn:aws:iam::000000000003:instance-profile/my_profile-prefix"},
+				Version:                     currentRoleStorageVersion,
+			},
+		},
+	}
+	if diff := deep.Equal(expected, after); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// run it again -- nothing will happen
+	upgraded, err = b.upgrade(ctx, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if upgraded {
+		t.Fatalf("expected no upgrade")
+	}
+
+	// make sure saved role version is correct
+	entry, err := storage.Get(ctx, "config/version")
+	if err != nil {
+		t.Fatal(err)
+	}
+	var version awsVersion
+	err = entry.DecodeJSON(&version)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version.RoleVersion != currentRoleStorageVersion {
+		t.Fatalf("expected version %d, got  %d", currentRoleStorageVersion, version.RoleVersion)
+	}
+
+	// stomp on the saved version
+	version.RoleVersion = 0
+	e2, err := logical.StorageEntryJSON("config/version", version)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = storage.Put(ctx, e2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// run it again -- now an upgrade will happen
+	upgraded, err = b.upgrade(ctx, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !upgraded {
+		t.Fatalf("expected upgrade")
+	}
+}
+
+func TestRoleStorageVersion(t *testing.T) {
+
+	before := awsVersion{
+		RoleVersion: 42,
+	}
+
+	entry, err := logical.StorageEntryJSON("config/version", &before)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var after awsVersion
+	err = entry.DecodeJSON(&after)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if diff := deep.Equal(before, after); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
 func resolveArnToFakeUniqueId(ctx context.Context, s logical.Storage, arn string) (string, error) {
 	return "FakeUniqueId1", nil
 }