Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More Mount Conflict Detection #2919

Merged
merged 17 commits into from
Nov 6, 2017
Merged

More Mount Conflict Detection #2919

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
ff650e5
More Mount Conflict Detection
Jun 24, 2017
af30967
Check for mount conflicts in more places and test helper explicitly
Jun 25, 2017
d848929
Incorporate feedback and add a blurb to the docs
Jun 25, 2017
cf07549
Incorporate feedback in proper file tho
Jun 25, 2017
e8f330e
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Jul 11, 2017
f3136f0
Use a read lock when appropriate
Jul 11, 2017
b0fbfe8
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Jul 27, 2017
bf02212
shuffle around internal router/mount functions
Jul 27, 2017
0f36271
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Aug 4, 2017
6836698
defer is kinda cool 🕶
Aug 4, 2017
314a032
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Sep 17, 2017
23aa611
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Sep 17, 2017
c03b662
Only block path stomping on new mounts
otakup0pe Sep 17, 2017
e2c0f63
Update router.go
jefferai Nov 6, 2017
5b60f6b
Update router_test.go
jefferai Nov 6, 2017
51c948f
Merge branch 'master' into mount-conflict
jefferai Nov 6, 2017
d70bcd5
Merge branch 'master' into mount-conflict
jefferai Nov 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions vault/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,8 @@ func (c *Core) enableCredential(entry *MountEntry) error {
return fmt.Errorf("token credential backend cannot be instantiated")
}

if match := c.router.MatchingMount(credentialRoutePrefix + entry.Path); match != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
if conflict := c.router.MountConflict(credentialRoutePrefix + entry.Path); conflict != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", conflict))
}

// Generate a new UUID and view
Expand Down
4 changes: 2 additions & 2 deletions vault/mount.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,8 @@ func (c *Core) mount(entry *MountEntry) error {
c.mountsLock.Lock()
defer c.mountsLock.Unlock()

// Verify there is no conflicting mount
if match := c.router.MatchingMount(entry.Path); match != "" {
// Verify there are no conflicting mounts
if match := c.router.MountConflict(entry.Path); match != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
}

Expand Down
35 changes: 33 additions & 2 deletions vault/router.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ type Router struct {
mountUUIDCache *radix.Tree
mountAccessorCache *radix.Tree
tokenStoreSaltFunc func() (*salt.Salt, error)

// storagePrefix maps the prefix used for storage (ala the BarrierView)
// to the backend. This is used to map a key back into the backend that owns it.
// For example, logical/uuid1/foobar -> secrets/ (kv backend) + foobar
Expand Down Expand Up @@ -201,14 +200,46 @@ func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry {
// MatchingMount returns the mount prefix that would be used for a path
func (r *Router) MatchingMount(path string) string {
r.l.RLock()
mount, _, ok := r.root.LongestPrefix(path)
var mount = r.matchingMountInternal(path)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nitpick][Optional] We could do a defer r.l.RUnlock() and return r.matchingMountInternal(path) and avoid the local var mount.

r.l.RUnlock()
return mount
}

func (r *Router) matchingMountInternal(path string) string {
mount, _, ok := r.root.LongestPrefix(path)
if !ok {
return ""
}
return mount
}

// matchingPrefixInternal returns a mount prefix that a path may be a part of
func (r *Router) matchingPrefixInternal(path string) string {
var existing string = ""
fn := func(existing_path string, _v interface{}) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this function executes at all wouldn't it mean that we've found a prefix? Is the if check unnecessary here?

if strings.HasPrefix(existing_path, path) {
existing = existing_path
return true
}
return false
}
r.root.WalkPrefix(path, fn)
return existing
}

// MountConflict determines if there are potential path conflicts
func (r *Router) MountConflict(path string) string {
r.l.RLock()
defer r.l.RUnlock()
if exact_match := r.matchingMountInternal(path); exact_match != "" {
return exact_match
}
if prefix_match := r.matchingPrefixInternal(path); prefix_match != "" {
return prefix_match
}
return ""
}

// MatchingStorageView returns the storageView used for a path
func (r *Router) MatchingStorageView(path string) *BarrierView {
r.l.RLock()
Expand Down
23 changes: 23 additions & 0 deletions vault/router_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@ func TestRouter_Mount(t *testing.T) {
t.Fatalf("err: %v", err)
}

meUUID, err = uuid.GenerateUUID()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this to be placed just above the definition of subMountEntry?

if err != nil {
t.Fatal(err)
}

if path := r.MatchingMount("prod/aws/foo"); path != "prod/aws/" {
t.Fatalf("bad: %s", path)
}
Expand Down Expand Up @@ -162,6 +167,24 @@ func TestRouter_Mount(t *testing.T) {
if len(n.Paths) != 1 || n.Paths[0] != "foo" {
t.Fatalf("bad: %v", n.Paths)
}

subMountEntry := &MountEntry{
Path: "prod/",
UUID: meUUID,
Accessor: "prodaccessor",
}

if r.MountConflict("prod/aws/") == "" {
t.Fatalf("bad: prod/aws/")
}

err = r.Mount(n, "prod/", subMountEntry, view)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have a comment here as to why this should pass?

if err != nil {
t.Fatalf("err: %v", err)
}
if r.MountConflict("prod/test") == "" {
t.Fatalf("bad: prod/test/")
}
}

func TestRouter_MountCredential(t *testing.T) {
Expand Down
7 changes: 7 additions & 0 deletions website/source/docs/secrets/index.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ Once a secret backend is mounted, you can interact with it directly
at its mount point according to its own API. You can use the `vault path-help`
system to determine the paths it responds to.

Note that mount points cannot conflict with each other in Vault. There are
two broad implications of this fact. The first is that you cannot have
a mount which is prefixed with an existing mount. The second is that you
cannot create a mount point that is named as a prefix of an existing mount.
As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
with each other whereas `foo` and `foo/baz` cannot

## Barrier View

An important concept around secret backends is that they receive a
Expand Down