-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to view and list of leases metadata #2650
Changes from 10 commits
7ba95c8
cc209b1
e0ba238
68681b6
093766d
2e15776
65cedd9
342bebe
ebf24ab
7694708
c3bbe55
585464a
9ac7d8d
54b6bbc
426354b
0223fc8
619cb2e
5577099
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,14 +55,16 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
Root: []string{ | ||
"auth/*", | ||
"remount", | ||
"revoke-prefix/*", | ||
"audit", | ||
"audit/*", | ||
"raw/*", | ||
"replication/primary/secondary-token", | ||
"replication/reindex", | ||
"rotate", | ||
"config/auditing/*", | ||
"lease/lookup*", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can this be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I debated this but wanted to match the other paths that had similar functions, like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The difference with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, lease lookup should definitely not be a root path. |
||
"lease/revoke-prefix/*", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we also add There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is probably the right thing to do but this would be a change in behavior. I just want to make sure that what we want to do. I will note it in the changelog if we decide to go that route. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Generally we reserve root paths for functions that can be super destructive or super sensitive from a security standpoint. |
||
"revoke-prefix/*", | ||
}, | ||
|
||
Unauthenticated: []string{ | ||
|
@@ -299,7 +301,30 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "renew" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "lease/lookup" + framework.OptionalParamRegex("prefix"), | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"lease_id": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["lease_id"][0]), | ||
}, | ||
"prefix": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: strings.TrimSpace(sysHelp["lease-list-prefix"][0]), | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.UpdateOperation: b.handleLeaseLookup, | ||
logical.ListOperation: b.handleLeaseLookupList, | ||
}, | ||
|
||
HelpSynopsis: strings.TrimSpace(sysHelp["lease"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["lease"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "(lease/)?renew" + framework.OptionalParamRegex("url_lease_id"), | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -325,7 +350,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
Pattern: "(lease/)?revoke" + framework.OptionalParamRegex("url_lease_id"), | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"url_lease_id": &framework.FieldSchema{ | ||
|
@@ -347,7 +372,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-force/(?P<prefix>.+)", | ||
Pattern: "(lease/)?revoke-force/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -365,7 +390,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
}, | ||
|
||
&framework.Path{ | ||
Pattern: "revoke-prefix/(?P<prefix>.+)", | ||
Pattern: "(lease/)?revoke-prefix/(?P<prefix>.+)", | ||
|
||
Fields: map[string]*framework.FieldSchema{ | ||
"prefix": &framework.FieldSchema{ | ||
|
@@ -686,6 +711,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen | |
HelpSynopsis: strings.TrimSpace(sysHelp["audited-headers-name"][0]), | ||
HelpDescription: strings.TrimSpace(sysHelp["audited-headers-name"][1]), | ||
}, | ||
|
||
&framework.Path{ | ||
Pattern: "config/auditing/request-headers$", | ||
|
||
|
@@ -1274,6 +1300,56 @@ func (b *SystemBackend) handleTuneWriteCommon( | |
return nil, nil | ||
} | ||
|
||
// handleLeasse is use to view the metadata for a given LeaseID | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/handleLeasse/handleLeaseLookup |
||
func (b *SystemBackend) handleLeaseLookup( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
leaseID := data.Get("lease_id").(string) | ||
if leaseID == "" { | ||
return logical.ErrorResponse("lease_id must be specified"), | ||
logical.ErrInvalidRequest | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we have a check for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will do. |
||
leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error retrieving lease", "lease_id", leaseID, "error", err) | ||
return handleError(err) | ||
} | ||
if leaseTimes == nil { | ||
return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we add a comment here explaining why we are setting values to nil beforehand. This will avoid people removing it in future. |
||
resp := &logical.Response{ | ||
Data: map[string]interface{}{ | ||
"id": leaseID, | ||
"creation_time": leaseTimes.IssueTime, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This has a different type than There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There's a type discrepancy with |
||
"renewable": leaseTimes.renewable(), | ||
}, | ||
} | ||
if !leaseTimes.LastRenewalTime.IsZero() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry for circling around on this. On a second thought, the idea of having fields with default values (like you were doing earlier) does seem like a sensible thing to do too. What might be of concern is that this API will not have deterministic number of response fields. That is okay I guess but I am not sure if that is a problem. Bringing this up so we can all agree on this and move forward. |
||
resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime | ||
} | ||
if !leaseTimes.ExpireTime.IsZero() { | ||
resp.Data["expire_time"] = leaseTimes.ExpireTime | ||
resp.Data["ttl"] = leaseTimes.ttl() | ||
} | ||
return resp, nil | ||
} | ||
|
||
func (b *SystemBackend) handleLeaseLookupList( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
prefix := data.Get("prefix").(string) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you add a check to make sure prefix is not There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Empty prefix is valid and will list the top level keys. |
||
if !strings.HasSuffix(prefix, "/") { | ||
prefix = prefix + "/" | ||
} | ||
|
||
keys, err := b.Core.expiration.idView.List(prefix) | ||
if err != nil { | ||
b.Backend.Logger().Error("sys: error listing leases", "prefix", prefix, "error", err) | ||
return handleError(err) | ||
} | ||
return logical.ListResponse(keys), nil | ||
} | ||
|
||
// handleRenew is used to renew a lease with a given LeaseID | ||
func (b *SystemBackend) handleRenew( | ||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
|
@@ -2429,4 +2505,19 @@ This path responds to the following HTTP methods. | |
"Lists the headers configured to be audited.", | ||
`Returns a list of headers that have been configured to be audited.`, | ||
}, | ||
|
||
"lease": { | ||
``, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Reminder to fill these out. |
||
``, | ||
}, | ||
|
||
"lease-list": { | ||
``, | ||
``, | ||
}, | ||
|
||
"lease-list-prefix": { | ||
`The path to list leases under. Example: "prod/aws/ops"`, | ||
`Returns a list of lease ids.`, | ||
}, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the point of doing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought this was a bit confusing and was just consolidating the logic for dealing with the error, which the expiration manager uses, and returning the value of renewable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm concerned about people defaulting to use this function when in fact the exact error returned can be useful, e.g. in a debugging/logs context.