-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
backend.go
174 lines (146 loc) · 4.53 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
package gitlab
import (
"cmp"
"context"
"errors"
"fmt"
"net/http"
"strings"
"sync"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/logical"
)
const (
// operationPrefixGitlabAccessTokens is used as expected prefix for OpenAPI operation id's.
operationPrefixGitlabAccessTokens = "gitlab"
backendHelp = `
The Gitlab Access token auth Backend dynamically generates private
and group tokens.
After mounting this Backend, credentials to manage Gitlab tokens must be configured
with the "^config/(?P<config_name>\w(([\w-.@]+)?\w)?)$" endpoints.
`
)
// Factory returns expected new Backend as logical.Backend
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
var b = &Backend{
roleLocks: locksutil.CreateLocks(),
clients: sync.Map{},
}
b.Backend = &framework.Backend{
BackendType: logical.TypeLogical,
Help: strings.TrimSpace(backendHelp),
RunningVersion: Version,
Invalidate: b.Invalidate,
PathsSpecial: &logical.Paths{
LocalStorage: []string{
framework.WALPrefix,
},
SealWrapStorage: []string{
PathConfigStorage,
},
},
Secrets: []*framework.Secret{
secretAccessTokens(b),
},
Paths: framework.PathAppend(
[]*framework.Path{
pathConfig(b),
pathListConfig(b),
pathConfigTokenRotate(b),
pathListRoles(b),
pathRoles(b),
pathTokenRoles(b),
},
),
PeriodicFunc: b.periodicFunc,
}
var err = b.Setup(ctx, conf)
return b, err
}
type Backend struct {
*framework.Backend
// The client that we can use to create and revoke the access tokens
clients sync.Map
// Mutex to protect access to gitlab clients and client configs, a change to the gitlab client config
// would invalidate the gitlab client, so it will need to be reinitialized
lockClientMutex sync.RWMutex
// roleLocks to protect access for roles, during modifications, deletion
roleLocks []*locksutil.LockEntry
}
func (b *Backend) periodicFunc(ctx context.Context, req *logical.Request) (err error) {
b.Logger().Debug("Periodic action executing")
if b.WriteSafeReplicationState() {
var config *EntryConfig
b.lockClientMutex.Lock()
unlockLockClientMutex := sync.OnceFunc(func() { b.lockClientMutex.Unlock() })
defer unlockLockClientMutex()
var configs []string
configs, err = req.Storage.List(ctx, fmt.Sprintf("%s/", PathConfigStorage))
for _, name := range configs {
if config, err = getConfig(ctx, req.Storage, name); err == nil {
b.Logger().Debug("Trying to rotate the config", "name", name)
unlockLockClientMutex()
if config != nil {
// If we need to autorotate the token, initiate the procedure to autorotate the token
if config.AutoRotateToken {
err = errors.Join(err, b.checkAndRotateConfigToken(ctx, req, config))
}
}
}
}
}
return err
}
// Invalidate invalidates the key if required
func (b *Backend) Invalidate(ctx context.Context, key string) {
b.Logger().Debug("Backend invalidate", "key", key)
if strings.HasPrefix(key, PathConfigStorage) {
parts := strings.SplitN(key, "/", 2)
var name = parts[1]
b.Logger().Warn(fmt.Sprintf("Gitlab config for %s changed, reinitializing the gitlab client", name))
b.lockClientMutex.Lock()
defer b.lockClientMutex.Unlock()
b.clients.Delete(name)
}
}
func (b *Backend) GetClient(name string) Client {
if client, ok := b.clients.Load(cmp.Or(name, DefaultConfigName)); ok {
return client.(Client)
}
return nil
}
func (b *Backend) SetClient(client Client, name string) {
name = cmp.Or(name, DefaultConfigName)
if client == nil {
b.Logger().Debug("Setting a nil client")
return
}
b.Logger().Debug("Setting a new client")
b.clients.Store(name, client)
}
func (b *Backend) getClient(ctx context.Context, s logical.Storage, name string) (client Client, err error) {
if c, ok := b.clients.Load(cmp.Or(name, DefaultConfigName)); ok {
client = c.(Client)
}
if client != nil && client.Valid(ctx) {
b.Logger().Debug("Returning existing gitlab client")
return client, nil
}
b.lockClientMutex.RLock()
defer b.lockClientMutex.RUnlock()
var config *EntryConfig
config, err = getConfig(ctx, s, name)
if err != nil {
b.Logger().Error("Failed to retrieve configuration", "error", err.Error())
return nil, err
}
var httpClient *http.Client
httpClient, _ = HttpClientFromContext(ctx)
if client, _ = GitlabClientFromContext(ctx); client == nil {
if client, err = NewGitlabClient(config, httpClient, b.Logger()); err == nil {
b.SetClient(client, name)
}
}
return client, err
}