Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a /config/rotate-root path to the ldap auth backend #24099

Merged
merged 20 commits into from
Nov 27, 2023
Merged

Add a /config/rotate-root path to the ldap auth backend #24099

merged 20 commits into from
Nov 27, 2023

Conversation

kpcraig
Copy link
Contributor

@kpcraig kpcraig commented Nov 10, 2023

This PR adds a rotate-root functionality to the LDAP auth backend.

@kpcraig kpcraig requested a review from a team as a code owner November 10, 2023 18:21
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Nov 10, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 10, 2023
edited
Loading

Build Results:
All builds succeeded! ✅

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 10, 2023
edited
Loading

CI Results:
All Go tests succeeded! ✅

raymonstah
raymonstah reviewed Nov 10, 2023
View reviewed changes
Copy link
Contributor

@raymonstah raymonstah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any tests we can add to validate the new path?

builtin/credential/ldap/path_config_rotate_root.go
Comment on lines +51 to +56
// grab our ldap client
client := ldaputil.Client{
Logger: b.Logger(),
LDAP: ldaputil.NewLDAP(),
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this live on the *backend struct so we can reuse it or does the client need to be created every time?
Also, there's a newer cap/ldap client that we're trying to migrate to. Any reason not to use this one instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on potentially adding a getClient helper on the backend struct. That would also match up with other plugins

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i thought about this - this is the only place this particular is currently used in this (credential/)ldap, and i want to avoid confusion with the other similarly named one (cap/ldap/Client).

Possibly whoever adds the second use of this client can add the helper?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not overly concerned with having a helper method, but more so wondering why we can't reuse the same instance of the ldap client. Probably not too concerning though, assuming that root rotation isn't a high-volume endpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't notice the earlier mention of the cap client the first time around - the issue i encountered was that it wasn't interacting with LDAP at the level I needed to make Modify calls to the server, although maybe there was a way to do it that I missed.

I'm not too worried about multiple instantiations of the ldap client - whatever we're allocating is pretty thin each time, and rotate-root is going to be pretty low volume.

@kpcraig kpcraig added this to the 1.16.0-rc1 milestone Nov 16, 2023
fairclothjm
fairclothjm reviewed Nov 16, 2023
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any tests we could add to this?

@kpcraig
Copy link
Contributor Author

kpcraig commented Nov 16, 2023

Are there any tests we could add to this?

I added a test cribbing from backend_test. As you might imagine, it's based on having an external ldap set up, but i matched the expectations to the one from the backend tests.

fairclothjm
fairclothjm reviewed Nov 17, 2023
View reviewed changes
@kpcraig kpcraig force-pushed the VAULT-21415/ldap-auth-rotate-root branch from 49ce79f to 1223cab Compare November 17, 2023 17:46
@austingebauer austingebauer self-requested a review November 22, 2023 17:28
austingebauer
austingebauer reviewed Nov 22, 2023
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Will ✅ after the comments are addressed.

vinay-gopalan
vinay-gopalan approved these changes Nov 22, 2023
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Had a small additional nit around copywrite headers for getting CI cleared

austingebauer
austingebauer approved these changes Nov 22, 2023
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@kpcraig kpcraig merged commit 9b7d068 into main Nov 27, 2023
@kpcraig kpcraig deleted the VAULT-21415/ldap-auth-rotate-root branch November 27, 2023 20:48
@Monkeychip Monkeychip mentioned this pull request Nov 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm left review comments

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@maxcoulombe maxcoulombe maxcoulombe left review comments

@raymonstah raymonstah raymonstah approved these changes

@austingebauer austingebauer austingebauer approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.16.0-rc1
Development

Successfully merging this pull request may close these issues.
6 participants
@kpcraig @raymonstah @fairclothjm @austingebauer @vinay-gopalan @maxcoulombe