-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to disable an entity #4353
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool | |
} | ||
} | ||
|
||
if entity != nil && entity.Disabled { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we also be disallowing the entity from getting tokens? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
return nil, te, logical.ErrEntityDisabled | ||
} | ||
|
||
// Check if this is a root protected path | ||
rootPath := c.router.RootPath(req.Path) | ||
|
||
|
@@ -1319,6 +1323,13 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr | |
return retErr | ||
} | ||
|
||
if c.standby { | ||
c.logger.Error("vault cannot seal when in standby mode; please restart instead") | ||
retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead")) | ||
c.stateLock.RUnlock() | ||
return retErr | ||
} | ||
|
||
// Validate the token is a root token | ||
acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken) | ||
if err != nil { | ||
|
@@ -1327,12 +1338,6 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr | |
// for validation and the operation should be performed. But for now, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we remove these comments? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, I should move them down. |
||
// just returning with an error and recommending a vault restart, which | ||
// essentially does the same thing. | ||
if c.standby { | ||
c.logger.Error("vault cannot seal when in standby mode; please restart instead") | ||
retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead")) | ||
c.stateLock.RUnlock() | ||
return retErr | ||
} | ||
retErr = multierror.Append(retErr, err) | ||
c.stateLock.RUnlock() | ||
return retErr | ||
|
@@ -1358,6 +1363,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr | |
return retErr | ||
} | ||
|
||
if entity != nil && entity.Disabled { | ||
retErr = multierror.Append(retErr, logical.ErrEntityDisabled) | ||
c.stateLock.RUnlock() | ||
return retErr | ||
} | ||
|
||
// Attempt to use the token (decrement num_uses) | ||
// On error bail out; if the token has been revoked, bail out too | ||
if te != nil { | ||
|
@@ -1466,6 +1477,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) { | |
return retErr | ||
} | ||
|
||
if entity != nil && entity.Disabled { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wonder if we should do this before audit logging. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No -- for the same reason that we attempt to log whatever we get back from the token store before fully checking validity. The fact that a request is invalid doesn't mean it wasn't an attempted request. |
||
retErr = multierror.Append(retErr, logical.ErrEntityDisabled) | ||
c.stateLock.RUnlock() | ||
return retErr | ||
} | ||
|
||
// Attempt to use the token (decrement num_uses) | ||
if te != nil { | ||
te, err = c.tokenStore.UseToken(ctx, te) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
package vault_test | ||
|
||
import ( | ||
"strings" | ||
"testing" | ||
|
||
"github.com/hashicorp/vault/api" | ||
"github.com/hashicorp/vault/builtin/credential/approle" | ||
vaulthttp "github.com/hashicorp/vault/http" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/vault" | ||
) | ||
|
||
func TestIdentityStore_EntityDisabled(t *testing.T) { | ||
// Use a TestCluster and the approle backend to get a token and entity for testing | ||
coreConfig := &vault.CoreConfig{ | ||
CredentialBackends: map[string]logical.Factory{ | ||
"approle": approle.Factory, | ||
}, | ||
} | ||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ | ||
HandlerFunc: vaulthttp.Handler, | ||
}) | ||
cluster.Start() | ||
defer cluster.Cleanup() | ||
|
||
core := cluster.Cores[0].Core | ||
vault.TestWaitActive(t, core) | ||
client := cluster.Cores[0].Client | ||
|
||
// Mount the auth backend | ||
err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{ | ||
Type: "approle", | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// Tune the mount | ||
err = client.Sys().TuneMount("auth/approle", api.MountConfigInput{ | ||
DefaultLeaseTTL: "5m", | ||
MaxLeaseTTL: "5m", | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// Create role | ||
resp, err := client.Logical().Write("auth/approle/role/role-period", map[string]interface{}{ | ||
"period": "5m", | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// Get role_id | ||
resp, err = client.Logical().Read("auth/approle/role/role-period/role-id") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if resp == nil { | ||
t.Fatal("expected a response for fetching the role-id") | ||
} | ||
roleID := resp.Data["role_id"] | ||
|
||
// Get secret_id | ||
resp, err = client.Logical().Write("auth/approle/role/role-period/secret-id", map[string]interface{}{}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if resp == nil { | ||
t.Fatal("expected a response for fetching the secret-id") | ||
} | ||
secretID := resp.Data["secret_id"] | ||
|
||
// Login | ||
resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{ | ||
"role_id": roleID, | ||
"secret_id": secretID, | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if resp == nil { | ||
t.Fatal("expected a response for login") | ||
} | ||
if resp.Auth == nil { | ||
t.Fatal("expected auth object from response") | ||
} | ||
if resp.Auth.ClientToken == "" { | ||
t.Fatal("expected a client token") | ||
} | ||
|
||
roleToken := resp.Auth.ClientToken | ||
|
||
client.SetToken(roleToken) | ||
resp, err = client.Auth().Token().LookupSelf() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if resp == nil { | ||
t.Fatal("expected a response for token lookup") | ||
} | ||
entityIDRaw, ok := resp.Data["entity_id"] | ||
if !ok { | ||
t.Fatal("expected an entity ID") | ||
} | ||
entityID, ok := entityIDRaw.(string) | ||
if !ok { | ||
t.Fatal("entity_id not a string") | ||
} | ||
|
||
client.SetToken(cluster.RootToken) | ||
resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{ | ||
"disabled": true, | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// This call should now fail | ||
client.SetToken(roleToken) | ||
resp, err = client.Auth().Token().LookupSelf() | ||
if err == nil { | ||
t.Fatalf("expected error, got %#v", *resp) | ||
} | ||
if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) { | ||
t.Fatalf("expected to see entity disabled error, got %v", err) | ||
} | ||
|
||
client.SetToken(cluster.RootToken) | ||
resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{ | ||
"disabled": false, | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
client.SetToken(roleToken) | ||
resp, err = client.Auth().Token().LookupSelf() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m suspicious having this commented out might break if a user upgrades from oss -> ent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be fine so long as the number is distinct.