-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to disable an entity #4353
Conversation
This disallows its associated tokens to be used, but doesn't revoke them.
@@ -110,6 +110,10 @@ message Entity { | |||
// MFASecrets holds the MFA secrets indexed by the identifier of the MFA | |||
// method configuration. | |||
//map<string, mfa.Secret> mfa_secrets = 10; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m suspicious having this commented out might break if a user upgrades from oss -> ent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be fine so long as the number is distinct.
@@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool | |||
} | |||
} | |||
|
|||
if entity != nil && entity.Disabled { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also be disallowing the entity from getting tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@@ -1466,6 +1477,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) { | |||
return retErr | |||
} | |||
|
|||
if entity != nil && entity.Disabled { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should do this before audit logging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No -- for the same reason that we attempt to log whatever we get back from the token store before fully checking validity. The fact that a request is invalid doesn't mean it wasn't an attempted request.
vault/core.go
Outdated
@@ -1327,12 +1338,6 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr | |||
// for validation and the operation should be performed. But for now, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we remove these comments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I should move them down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left minor comments. Other than that LGTM!
This disallows its associated tokens to be used, but doesn't revoke
them.