From 5ec122f45a3d04ec85c402cec41ee285e52664fe Mon Sep 17 00:00:00 2001 From: Amir Aslamov Date: Thu, 3 Jul 2025 16:31:08 -0400 Subject: [PATCH] apply oss patch (#31206) --- vault/core_metrics.go | 430 ------------------------------------------ 1 file changed, 430 deletions(-) diff --git a/vault/core_metrics.go b/vault/core_metrics.go index 54e0c7524d..897074b95a 100644 --- a/vault/core_metrics.go +++ b/vault/core_metrics.go @@ -5,7 +5,6 @@ package vault import ( "context" - "encoding/json" "errors" "fmt" "os" @@ -13,7 +12,6 @@ import ( "time" "github.com/armon/go-metrics" - "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/pluginconsts" @@ -21,7 +19,6 @@ import ( "github.com/hashicorp/vault/physical/raft" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/logical" - uicustommessages "github.com/hashicorp/vault/vault/ui_custom_messages" ) const ( @@ -529,161 +526,6 @@ func (c *Core) walkKvSecrets( return nil } -// GetLocalAndReplicatedSecretMounts returns the number of replicated and local secret mounts -// across all namespaces, but excludes the default mounts that are pre mounted onto -// each cluster -func (c *Core) GetLocalAndReplicatedSecretMounts() (int, int) { - replicated := 0 - local := 0 - c.mountsLock.RLock() - defer c.mountsLock.RUnlock() - for _, mount := range c.mounts.Entries { - if mount.Local { - switch mount.Type { - // These types are mounted onto namespaces/root by default and cannot be modified - case mountTypeCubbyhole, mountTypeNSCubbyhole: - default: - local += 1 - - } - } else { - switch mount.Type { - // These types are mounted onto namespaces/root by default and cannot be modified - case mountTypeIdentity, mountTypeCubbyhole, mountTypeSystem, mountTypeNSIdentity, mountTypeNSSystem, mountTypeNSCubbyhole: - default: - replicated += 1 - } - } - } - return replicated, local -} - -// GetLocalAndReplicatedAuthMounts returns the number of replicated and local auth mounts -// across all namespaces, but excludes the default mounts that are pre mounted onto -// each cluster -func (c *Core) GetLocalAndReplicatedAuthMounts() (int, int) { - replicated := 0 - local := 0 - c.authLock.RLock() - defer c.authLock.RUnlock() - for _, mount := range c.auth.Entries { - if mount.Local { - local += 1 - } else { - switch mount.Type { - // Token type is mounted onto all namespaces by default and cannot be enabled, disabled, or remounted - case mountTypeToken, mountTypeNSToken: - default: - replicated += 1 - - } - } - } - return replicated, local -} - -// GetAuthenticatedCustomBanners returns the number of authenticated custom -// banners across all namespaces in Vault -func (c *Core) GetAuthenticatedCustomBanners() int { - ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace) - allNamespaces := c.collectNamespaces() - numAuthCustomBanners := 0 - filter := uicustommessages.FindFilter{ - IncludeAncestors: false, - } - filter.Authenticated(true) - for _, ns := range allNamespaces { - messages, err := c.customMessageManager.FindMessages(namespace.ContextWithNamespace(ctx, ns), filter) - if err != nil { - c.logger.Error("could not find authenticated custom messages for namespace", "namespace", ns.ID, "error", err) - } - numAuthCustomBanners += len(messages) - } - return numAuthCustomBanners -} - -// GetUnauthenticatedCustomBanners returns the number of unauthenticated custom -// banners across all namespaces in Vault -func (c *Core) GetUnauthenticatedCustomBanners() int { - ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace) - allNamespaces := c.collectNamespaces() - numUnauthCustomBanners := 0 - filter := uicustommessages.FindFilter{ - IncludeAncestors: false, - } - filter.Authenticated(false) - for _, ns := range allNamespaces { - messages, err := c.customMessageManager.FindMessages(namespace.ContextWithNamespace(ctx, ns), filter) - if err != nil { - c.logger.Error("could not find unauthenticated custom messages for namespace", "namespace", ns.ID, "error", err) - } - numUnauthCustomBanners += len(messages) - } - return numUnauthCustomBanners -} - -// GetTotalPkiRoles returns the total roles across all PKI mounts in Vault -func (c *Core) GetTotalPkiRoles(ctx context.Context) int { - c.mountsLock.RLock() - defer c.mountsLock.RUnlock() - - numRoles := 0 - - for _, entry := range c.mounts.Entries { - secretType := entry.Type - if secretType == pluginconsts.SecretEnginePki { - listRequest := &logical.Request{ - Operation: logical.ListOperation, - Path: entry.namespace.Path + entry.Path + "roles", - } - resp, err := c.router.Route(ctx, listRequest) - if err != nil || resp == nil { - continue - } - rawKeys, ok := resp.Data["keys"] - if !ok { - continue - } - keys, ok := rawKeys.([]string) - if ok { - numRoles += len(keys) - } - } - } - return numRoles -} - -// GetTotalPkiIssuers returns the total issuers across all PKI mounts in Vault -func (c *Core) GetTotalPkiIssuers(ctx context.Context) int { - c.mountsLock.RLock() - defer c.mountsLock.RUnlock() - - numRoles := 0 - - for _, entry := range c.mounts.Entries { - secretType := entry.Type - if secretType == pluginconsts.SecretEnginePki { - listRequest := &logical.Request{ - Operation: logical.ListOperation, - Path: entry.namespace.Path + entry.Path + "issuers", - } - resp, err := c.router.Route(ctx, listRequest) - if err != nil || resp == nil { - continue - } - rawKeys, ok := resp.Data["keys"] - if !ok { - continue - } - keys, ok := rawKeys.([]string) - if ok { - numRoles += len(keys) - } - } - } - return numRoles -} - // getMinNamespaceSecrets is expected to be called on the output // of GetKvUsageMetrics to get the min number of secrets in a single namespace. func getMinNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int { @@ -729,126 +571,6 @@ func getMeanNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int { return getTotalSecretsAcrossAllNamespaces(mapOfNamespacesToSecrets) / length } -// GetSecretEngineUsageMetrics returns a map of secret engine mount types to the number of those mounts that exist. -func (c *Core) GetSecretEngineUsageMetrics() map[string]int { - mounts := make(map[string]int) - - c.mountsLock.RLock() - defer c.mountsLock.RUnlock() - - for _, entry := range c.mounts.Entries { - mountType := entry.Type - - if mountType == mountTypeNSIdentity { - mountType = pluginconsts.SecretEngineIdentity - } - if mountType == mountTypeNSSystem { - mountType = pluginconsts.SecretEngineSystem - } - if mountType == mountTypeNSCubbyhole { - mountType = pluginconsts.SecretEngineCubbyhole - } - - if _, ok := mounts[mountType]; !ok { - mounts[mountType] = 1 - } else { - mounts[mountType] += 1 - } - } - return mounts -} - -// Get returns a map of auth mount types to the number of those mounts that exist. -func (c *Core) GetAuthMethodUsageMetrics() map[string]int { - mounts := make(map[string]int) - - c.authLock.RLock() - defer c.authLock.RUnlock() - - for _, entry := range c.auth.Entries { - authType := entry.Type - - if authType == mountTypeNSToken { - authType = pluginconsts.AuthTypeToken - } - - if _, ok := mounts[authType]; !ok { - mounts[authType] = 1 - } else { - mounts[authType] += 1 - } - } - return mounts -} - -// GetAuthMethodLeaseCounts returns a map of auth mount types to the number of leases those mounts have. -func (c *Core) GetAuthMethodLeaseCounts() (map[string]int, error) { - mounts := make(map[string]int) - - c.authLock.RLock() - defer c.authLock.RUnlock() - - for _, entry := range c.auth.Entries { - authType := entry.Type - - if authType == mountTypeNSToken { - authType = pluginconsts.AuthTypeToken - } - - mountPath := fmt.Sprintf("%s/%s", credentialTableType, entry.Path) - keys, err := logical.CollectKeysWithPrefix(c.expiration.quitContext, c.expiration.leaseView(entry.namespace), mountPath) - if err != nil { - return nil, err - } - - if _, ok := mounts[authType]; !ok { - mounts[authType] = len(keys) - } else { - mounts[authType] += len(keys) - } - } - return mounts, nil -} - -// GetKvUsageMetrics returns a map of namespace paths to KV secret counts within those namespaces. -func (c *Core) GetKvUsageMetrics(ctx context.Context, kvVersion string) (map[string]int, error) { - mounts := c.findKvMounts() - results := make(map[string]int) - - if kvVersion == "1" || kvVersion == "2" { - var newMounts []*kvMount - for _, mount := range mounts { - if mount.Version == kvVersion { - newMounts = append(newMounts, mount) - } - } - mounts = newMounts - } else if kvVersion != "0" { - return results, fmt.Errorf("kv version %s not supported, must be 0, 1, or 2", kvVersion) - } - - for _, m := range mounts { - select { - case <-ctx.Done(): - return nil, fmt.Errorf("context expired") - default: - break - } - - c.walkKvMountSecrets(ctx, m) - - _, ok := results[m.Namespace.Path] - if ok { - // we need to add, not overwrite - results[m.Namespace.Path] += m.NumSecrets - } else { - results[m.Namespace.Path] = m.NumSecrets - } - } - - return results, nil -} - func (c *Core) walkKvMountSecrets(ctx context.Context, m *kvMount) { var startDirs []string if m.Version == "1" { @@ -1036,155 +758,3 @@ func (c *Core) configuredPoliciesGaugeCollector(ctx context.Context) ([]metricsu return values, nil } - -func (c *Core) GetPolicyMetrics(ctx context.Context) map[PolicyType]int { - policyStore := c.policyStore - - if policyStore == nil { - c.logger.Error("could not find policy store") - return map[PolicyType]int{} - } - - ctx = namespace.RootContext(ctx) - namespaces := c.collectNamespaces() - - policyTypes := []PolicyType{ - PolicyTypeACL, - PolicyTypeRGP, - PolicyTypeEGP, - } - - ret := make(map[PolicyType]int) - for _, pt := range policyTypes { - policies, err := policyStore.policiesByNamespaces(ctx, pt, namespaces) - if err != nil { - c.logger.Error("could not retrieve policies for namespaces", "policy_type", pt.String(), "error", err) - return map[PolicyType]int{} - } - - ret[pt] = len(policies) - } - return ret -} - -func (c *Core) GetAutopilotUpgradeEnabled() float64 { - raftBackend := c.getRaftBackend() - if raftBackend == nil { - return 0.0 - } - - config := raftBackend.AutopilotConfig() - if config == nil { - return 0.0 - } - - // if false, autopilot upgrade is enabled - if !config.DisableUpgradeMigration { - return 1 - } - return 0.0 -} - -func (c *Core) GetAuditDeviceCountByType() map[string]int { - auditCounts := make(map[string]int) - auditCounts["file"] = 0 - auditCounts["socketUdp"] = 0 - auditCounts["socketTcp"] = 0 - auditCounts["socketUnix"] = 0 - auditCounts["syslog"] = 0 - - c.auditLock.RLock() - defer c.auditLock.RUnlock() - - // return if audit is not set up - if c.audit == nil { - return auditCounts - } - - for _, entry := range c.audit.Entries { - switch entry.Type { - case audit.TypeFile: - auditCounts["file"]++ - case audit.TypeSocket: - if entry.Options != nil { - switch strings.ToLower(entry.Options["socket_type"]) { - case "udp": - auditCounts["socketUdp"]++ - case "tcp": - auditCounts["socketTcp"]++ - case "unix": - auditCounts["socketUnix"]++ - } - } - case audit.TypeSyslog: - auditCounts["syslog"]++ - } - } - - return auditCounts -} - -func (c *Core) GetAuditExclusionStanzaCount() int { - exclusionsCount := 0 - - c.auditLock.RLock() - defer c.auditLock.RUnlock() - - // return if audit is not set up - if c.audit == nil { - return exclusionsCount - } - - for _, entry := range c.audit.Entries { - excludeRaw, ok := entry.Options["exclude"] - if !ok || excludeRaw == "" { - continue - } - - var exclusionObjects []map[string]interface{} - if err := json.Unmarshal([]byte(excludeRaw), &exclusionObjects); err != nil { - c.logger.Error("failed to parse audit exclusion config for device", "path", entry.Path, "error", err) - } - - exclusionsCount += len(exclusionObjects) - } - - return exclusionsCount -} - -func (c *Core) GetControlGroupCount() (int, error) { - policyStore := c.policyStore - - if policyStore == nil { - return 0, fmt.Errorf("could not find a policy store") - } - - namespaces := c.collectNamespaces() - controlGroupCount := 0 - - for _, ns := range namespaces { - nsCtx := namespace.ContextWithNamespace(context.Background(), ns) - - // get the names of all the ACL policies from on this namespace - policyNames, err := policyStore.ListPolicies(nsCtx, PolicyTypeACL) - if err != nil { - return 0, err - } - - for _, name := range policyNames { - policy, err := policyStore.GetPolicy(nsCtx, name, PolicyTypeACL) - if err != nil { - return 0, err - } - - // check for control groups inside the path rules of the policy - for _, pathPolicy := range policy.Paths { - if pathPolicy.ControlGroupHCL != nil { - controlGroupCount++ - } - } - } - } - - return controlGroupCount, nil -}