mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-05 12:26:34 +02:00
Code Issues Projects Releases Wiki Activity

apply oss patch (#31206)

Browse Source
This commit is contained in:
Amir Aslamov 2025-07-03 16:31:08 -04:00 committed by GitHub
parent 75b17b7996
commit 5ec122f45a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 0 additions and 430 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

430
vault/core_metrics.go
View File

@ -5,7 +5,6 @@ package vault
import (
"context"
"encoding/json"
"errors"
"fmt"
"os"
@ -13,7 +12,6 @@ import (
"time"
"github.com/armon/go-metrics"
"github.com/hashicorp/vault/audit"
"github.com/hashicorp/vault/helper/metricsutil"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/helper/pluginconsts"
@ -21,7 +19,6 @@ import (
"github.com/hashicorp/vault/physical/raft"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
uicustommessages "github.com/hashicorp/vault/vault/ui_custom_messages"
)
const (
@ -529,161 +526,6 @@ func (c *Core) walkKvSecrets(
return nil
}
// GetLocalAndReplicatedSecretMounts returns the number of replicated and local secret mounts
// across all namespaces, but excludes the default mounts that are pre mounted onto
// each cluster
func (c *Core) GetLocalAndReplicatedSecretMounts() (int, int) {
replicated := 0
local := 0
c.mountsLock.RLock()
defer c.mountsLock.RUnlock()
for _, mount := range c.mounts.Entries {
if mount.Local {
switch mount.Type {
// These types are mounted onto namespaces/root by default and cannot be modified
case mountTypeCubbyhole, mountTypeNSCubbyhole:
default:
local += 1
}
} else {
switch mount.Type {
// These types are mounted onto namespaces/root by default and cannot be modified
case mountTypeIdentity, mountTypeCubbyhole, mountTypeSystem, mountTypeNSIdentity, mountTypeNSSystem, mountTypeNSCubbyhole:
default:
replicated += 1
}
}
}
return replicated, local
}
// GetLocalAndReplicatedAuthMounts returns the number of replicated and local auth mounts
// across all namespaces, but excludes the default mounts that are pre mounted onto
// each cluster
func (c *Core) GetLocalAndReplicatedAuthMounts() (int, int) {
replicated := 0
local := 0
c.authLock.RLock()
defer c.authLock.RUnlock()
for _, mount := range c.auth.Entries {
if mount.Local {
local += 1
} else {
switch mount.Type {
// Token type is mounted onto all namespaces by default and cannot be enabled, disabled, or remounted
case mountTypeToken, mountTypeNSToken:
default:
replicated += 1
}
}
}
return replicated, local
}
// GetAuthenticatedCustomBanners returns the number of authenticated custom
// banners across all namespaces in Vault
func (c *Core) GetAuthenticatedCustomBanners() int {
ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
allNamespaces := c.collectNamespaces()
numAuthCustomBanners := 0
filter := uicustommessages.FindFilter{
IncludeAncestors: false,
}
filter.Authenticated(true)
for _, ns := range allNamespaces {
messages, err := c.customMessageManager.FindMessages(namespace.ContextWithNamespace(ctx, ns), filter)
if err != nil {
c.logger.Error("could not find authenticated custom messages for namespace", "namespace", ns.ID, "error", err)
}
numAuthCustomBanners += len(messages)
}
return numAuthCustomBanners
}
// GetUnauthenticatedCustomBanners returns the number of unauthenticated custom
// banners across all namespaces in Vault
func (c *Core) GetUnauthenticatedCustomBanners() int {
ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
allNamespaces := c.collectNamespaces()
numUnauthCustomBanners := 0
filter := uicustommessages.FindFilter{
IncludeAncestors: false,
}
filter.Authenticated(false)
for _, ns := range allNamespaces {
messages, err := c.customMessageManager.FindMessages(namespace.ContextWithNamespace(ctx, ns), filter)
if err != nil {
c.logger.Error("could not find unauthenticated custom messages for namespace", "namespace", ns.ID, "error", err)
}
numUnauthCustomBanners += len(messages)
}
return numUnauthCustomBanners
}
// GetTotalPkiRoles returns the total roles across all PKI mounts in Vault
func (c *Core) GetTotalPkiRoles(ctx context.Context) int {
c.mountsLock.RLock()
defer c.mountsLock.RUnlock()
numRoles := 0
for _, entry := range c.mounts.Entries {
secretType := entry.Type
if secretType == pluginconsts.SecretEnginePki {
listRequest := &logical.Request{
Operation: logical.ListOperation,
Path: entry.namespace.Path + entry.Path + "roles",
}
resp, err := c.router.Route(ctx, listRequest)
if err != nil || resp == nil {
continue
}
rawKeys, ok := resp.Data["keys"]
if !ok {
continue
}
keys, ok := rawKeys.([]string)
if ok {
numRoles += len(keys)
}
}
}
return numRoles
}
// GetTotalPkiIssuers returns the total issuers across all PKI mounts in Vault
func (c *Core) GetTotalPkiIssuers(ctx context.Context) int {
c.mountsLock.RLock()
defer c.mountsLock.RUnlock()
numRoles := 0
for _, entry := range c.mounts.Entries {
secretType := entry.Type
if secretType == pluginconsts.SecretEnginePki {
listRequest := &logical.Request{
Operation: logical.ListOperation,
Path: entry.namespace.Path + entry.Path + "issuers",
}
resp, err := c.router.Route(ctx, listRequest)
if err != nil || resp == nil {
continue
}
rawKeys, ok := resp.Data["keys"]
if !ok {
continue
}
keys, ok := rawKeys.([]string)
if ok {
numRoles += len(keys)
}
}
}
return numRoles
}
// getMinNamespaceSecrets is expected to be called on the output
// of GetKvUsageMetrics to get the min number of secrets in a single namespace.
func getMinNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int {
@ -729,126 +571,6 @@ func getMeanNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int {
return getTotalSecretsAcrossAllNamespaces(mapOfNamespacesToSecrets) / length
}
// GetSecretEngineUsageMetrics returns a map of secret engine mount types to the number of those mounts that exist.
func (c *Core) GetSecretEngineUsageMetrics() map[string]int {
mounts := make(map[string]int)
c.mountsLock.RLock()
defer c.mountsLock.RUnlock()
for _, entry := range c.mounts.Entries {
mountType := entry.Type
if mountType == mountTypeNSIdentity {
mountType = pluginconsts.SecretEngineIdentity
}
if mountType == mountTypeNSSystem {
mountType = pluginconsts.SecretEngineSystem
}
if mountType == mountTypeNSCubbyhole {
mountType = pluginconsts.SecretEngineCubbyhole
}
if _, ok := mounts[mountType]; !ok {
mounts[mountType] = 1
} else {
mounts[mountType] += 1
}
}
return mounts
}
// Get returns a map of auth mount types to the number of those mounts that exist.
func (c *Core) GetAuthMethodUsageMetrics() map[string]int {
mounts := make(map[string]int)
c.authLock.RLock()
defer c.authLock.RUnlock()
for _, entry := range c.auth.Entries {
authType := entry.Type
if authType == mountTypeNSToken {
authType = pluginconsts.AuthTypeToken
}
if _, ok := mounts[authType]; !ok {
mounts[authType] = 1
} else {
mounts[authType] += 1
}
}
return mounts
}
// GetAuthMethodLeaseCounts returns a map of auth mount types to the number of leases those mounts have.
func (c *Core) GetAuthMethodLeaseCounts() (map[string]int, error) {
mounts := make(map[string]int)
c.authLock.RLock()
defer c.authLock.RUnlock()
for _, entry := range c.auth.Entries {
authType := entry.Type
if authType == mountTypeNSToken {
authType = pluginconsts.AuthTypeToken
}
mountPath := fmt.Sprintf("%s/%s", credentialTableType, entry.Path)
keys, err := logical.CollectKeysWithPrefix(c.expiration.quitContext, c.expiration.leaseView(entry.namespace), mountPath)
if err != nil {
return nil, err
}
if _, ok := mounts[authType]; !ok {
mounts[authType] = len(keys)
} else {
mounts[authType] += len(keys)
}
}
return mounts, nil
}
// GetKvUsageMetrics returns a map of namespace paths to KV secret counts within those namespaces.
func (c *Core) GetKvUsageMetrics(ctx context.Context, kvVersion string) (map[string]int, error) {
mounts := c.findKvMounts()
results := make(map[string]int)
if kvVersion == "1" || kvVersion == "2" {
var newMounts []*kvMount
for _, mount := range mounts {
if mount.Version == kvVersion {
newMounts = append(newMounts, mount)
}
}
mounts = newMounts
} else if kvVersion != "0" {
return results, fmt.Errorf("kv version %s not supported, must be 0, 1, or 2", kvVersion)
}
for _, m := range mounts {
select {
case <-ctx.Done():
return nil, fmt.Errorf("context expired")
default:
break
}
c.walkKvMountSecrets(ctx, m)
_, ok := results[m.Namespace.Path]
if ok {
// we need to add, not overwrite
results[m.Namespace.Path] += m.NumSecrets
} else {
results[m.Namespace.Path] = m.NumSecrets
}
}
return results, nil
}
func (c *Core) walkKvMountSecrets(ctx context.Context, m *kvMount) {
var startDirs []string
if m.Version == "1" {
@ -1036,155 +758,3 @@ func (c *Core) configuredPoliciesGaugeCollector(ctx context.Context) ([]metricsu
return values, nil
}
func (c *Core) GetPolicyMetrics(ctx context.Context) map[PolicyType]int {
policyStore := c.policyStore
if policyStore == nil {
c.logger.Error("could not find policy store")
return map[PolicyType]int{}
}
ctx = namespace.RootContext(ctx)
namespaces := c.collectNamespaces()
policyTypes := []PolicyType{
PolicyTypeACL,
PolicyTypeRGP,
PolicyTypeEGP,
}
ret := make(map[PolicyType]int)
for _, pt := range policyTypes {
policies, err := policyStore.policiesByNamespaces(ctx, pt, namespaces)
if err != nil {
c.logger.Error("could not retrieve policies for namespaces", "policy_type", pt.String(), "error", err)
return map[PolicyType]int{}
}
ret[pt] = len(policies)
}
return ret
}
func (c *Core) GetAutopilotUpgradeEnabled() float64 {
raftBackend := c.getRaftBackend()
if raftBackend == nil {
return 0.0
}
config := raftBackend.AutopilotConfig()
if config == nil {
return 0.0
}
// if false, autopilot upgrade is enabled
if !config.DisableUpgradeMigration {
return 1
}
return 0.0
}
func (c *Core) GetAuditDeviceCountByType() map[string]int {
auditCounts := make(map[string]int)
auditCounts["file"] = 0
auditCounts["socketUdp"] = 0
auditCounts["socketTcp"] = 0
auditCounts["socketUnix"] = 0
auditCounts["syslog"] = 0
c.auditLock.RLock()
defer c.auditLock.RUnlock()
// return if audit is not set up
if c.audit == nil {
return auditCounts
}
for _, entry := range c.audit.Entries {
switch entry.Type {
case audit.TypeFile:
auditCounts["file"]++
case audit.TypeSocket:
if entry.Options != nil {
switch strings.ToLower(entry.Options["socket_type"]) {
case "udp":
auditCounts["socketUdp"]++
case "tcp":
auditCounts["socketTcp"]++
case "unix":
auditCounts["socketUnix"]++
}
}
case audit.TypeSyslog:
auditCounts["syslog"]++
}
}
return auditCounts
}
func (c *Core) GetAuditExclusionStanzaCount() int {
exclusionsCount := 0
c.auditLock.RLock()
defer c.auditLock.RUnlock()
// return if audit is not set up
if c.audit == nil {
return exclusionsCount
}
for _, entry := range c.audit.Entries {
excludeRaw, ok := entry.Options["exclude"]
if !ok || excludeRaw == "" {
continue
}
var exclusionObjects []map[string]interface{}
if err := json.Unmarshal([]byte(excludeRaw), &exclusionObjects); err != nil {
c.logger.Error("failed to parse audit exclusion config for device", "path", entry.Path, "error", err)
}
exclusionsCount += len(exclusionObjects)
}
return exclusionsCount
}
func (c *Core) GetControlGroupCount() (int, error) {
policyStore := c.policyStore
if policyStore == nil {
return 0, fmt.Errorf("could not find a policy store")
}
namespaces := c.collectNamespaces()
controlGroupCount := 0
for _, ns := range namespaces {
nsCtx := namespace.ContextWithNamespace(context.Background(), ns)
// get the names of all the ACL policies from on this namespace
policyNames, err := policyStore.ListPolicies(nsCtx, PolicyTypeACL)
if err != nil {
return 0, err
}
for _, name := range policyNames {
policy, err := policyStore.GetPolicy(nsCtx, name, PolicyTypeACL)
if err != nil {
return 0, err
}
// check for control groups inside the path rules of the policy
for _, pathPolicy := range policy.Paths {
if pathPolicy.ControlGroupHCL != nil {
controlGroupCount++
}
}
}
}
return controlGroupCount, nil
}