Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix race condition with Deriving vault tokens #2275

Merged
merged 2 commits into from
Feb 2, 2017
Merged

Fix race condition with Deriving vault tokens #2275

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9e822a2
Fix race condition with Deriving vault tokens
dadgar Feb 2, 2017
4bf2401
Merge branch 'master' into b-vault-race
dadgar Feb 2, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 17 additions & 7 deletions client/vaultclient/vaultclient.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,13 @@ func (c *vaultClient) Stop() {
close(c.stopCh)
}

// unlockAndUnset is used to unset the vault token on the client and release the
// lock. Helper method for deferring a call that does both.
func (c *vaultClient) unlockAndUnset() {
c.client.SetToken("")
c.lock.Unlock()
}

// DeriveToken takes in an allocation and a set of tasks and for each of the
// task, it derives a vault token from nomad server and unwraps it using vault.
// The return value is a map containing all the unwrapped tokens indexed by the
Expand All @@ -236,6 +243,12 @@ func (c *vaultClient) DeriveToken(alloc *structs.Allocation, taskNames []string)
return nil, fmt.Errorf("vault client is not running")
}

c.lock.Lock()
defer c.unlockAndUnset()

// Use the token supplied to interact with vault
c.client.SetToken("")

return c.tokenDeriver(alloc, taskNames, c.client)
}

Expand All @@ -253,14 +266,11 @@ func (c *vaultClient) GetConsulACL(token, path string) (*vaultapi.Secret, error)
}

c.lock.Lock()
defer c.lock.Unlock()
defer c.unlockAndUnset()

// Use the token supplied to interact with vault
c.client.SetToken(token)

// Reset the token before returning
defer c.client.SetToken("")

// Read the consul ACL token and return the secret directly
return c.client.Logical().Read(path)
}
Expand Down Expand Up @@ -377,9 +387,6 @@ func (c *vaultClient) renew(req *vaultClientRenewalRequest) error {
var renewalErr error
leaseDuration := req.increment
if req.isToken {
// Reset the token in the API client before returning
defer c.client.SetToken("")

// Set the token in the API client to the one that needs
// renewal
c.client.SetToken(req.id)
Expand All @@ -394,6 +401,9 @@ func (c *vaultClient) renew(req *vaultClientRenewalRequest) error {
// Don't set this if renewal fails
leaseDuration = renewResp.Auth.LeaseDuration
}

// Reset the token in the API client before returning
c.client.SetToken("")
} else {
// Renew the secret
renewResp, err := c.client.Sys().Renew(req.id, req.increment)
Expand Down