Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix plugin reload when in a namespace #5937

Merged
merged 1 commit into from
Dec 12, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions vault/logical_system.go
Original file line number Diff line number Diff line change
Expand Up @@ -1411,7 +1411,11 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
// Reload the backend to kick off the upgrade process. It should only apply to KV backend so we
// trigger based on the version logic above.
if kvUpgraded {
b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix))
err = b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix))
if err != nil {
b.Core.logger.Error("mount tuning of options: could not reload backend", "error", err, "path", path, "options", options)
}

}
}

Expand Down Expand Up @@ -2894,6 +2898,11 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica

errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))

ns, err := namespace.FromContext(ctx)
if err != nil {
return nil, err
}

me := b.Core.router.MatchingMountEntry(ctx, path)
if me == nil {
// Return a permission denied error here so this path cannot be used to
Expand All @@ -2905,6 +2914,9 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
Data: mountInfo(me),
}
resp.Data["path"] = me.Path
if ns.ID != me.Namespace().ID {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't MatchingMountEntry always return the mounts for the namespace from the passed in context? In what cases would this check apply?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes being able to reach into sub-namespaces and access the mount info. So if you wanted to do:

vault kv put ns/kv/foo bar=baz

resp.Data["path"] = me.Namespace().Path + me.Path
}

// Load the ACL policies so we can walk the prefix for this mount
acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
Expand All @@ -2924,11 +2936,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
return nil, logical.ErrPermissionDenied
}

ns, err := namespace.FromContext(ctx)
if err != nil {
return nil, err
}

if !hasMountAccess(ctx, acl, ns.Path+me.Path) {
return errResp, logical.ErrPermissionDenied
}
Expand Down
6 changes: 3 additions & 3 deletions vault/plugin_reload.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func (c *Core) reloadMatchingPluginMounts(ctx context.Context, mounts []string)
errors = multierror.Append(errors, errwrap.Wrapf(fmt.Sprintf("cannot reload plugin on %q: {{err}}", mount), err))
continue
}
c.logger.Info("successfully reloaded plugin", "plugin", entry.Type, "path", entry.Path)
c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path)
}
return errors
}
Expand Down Expand Up @@ -96,7 +96,7 @@ func (c *Core) reloadMatchingPlugin(ctx context.Context, pluginName string) erro
if err != nil {
return err
}
c.logger.Info("successfully reloaded plugin", "plugin", pluginName, "path", entry.Path)
c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path)
}
}

Expand All @@ -120,7 +120,7 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut
}

// Fast-path out if the backend doesn't exist
raw, ok := c.router.root.Get(path)
raw, ok := c.router.root.Get(entry.Namespace().Path + path)
if !ok {
return nil
}
Expand Down
7 changes: 7 additions & 0 deletions vault/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,13 @@ func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core {
conf.LicensingConfig = opts.LicensingConfig
conf.DisableKeyEncodingChecks = opts.DisableKeyEncodingChecks

for k, v := range opts.LogicalBackends {
conf.LogicalBackends[k] = v
}
for k, v := range opts.CredentialBackends {
conf.CredentialBackends[k] = v
}

c, err := NewCore(conf)
if err != nil {
t.Fatalf("err: %s", err)
Expand Down