mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-05 20:36:26 +02:00
Code Issues Projects Releases Wiki Activity

VAULT-24386 better erroring for Proxy static secret caching for CE (#25661)

Browse Source
This commit is contained in:
Violet Hynes 2024-02-27 10:47:31 -05:00 committed by GitHub
parent f94e2156ce
commit fbfe661a08
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
command/agentproxyshared/cache/static_secret_cache_updater.go vendored
View File

@ -115,7 +115,7 @@ func (updater *StaticSecretCacheUpdater) streamStaticSecretEvents(ctx context.Co
updater.client.SetToken(updater.tokenSink.(sink.SinkReader).Token())
conn, err := updater.openWebSocketConnection(ctx)
if err != nil {
return fmt.Errorf("error when opening event stream: %w", err)
return err
}
defer conn.Close(websocket.StatusNormalClosure, "")
@ -337,8 +337,8 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
// We do ten attempts, to ensure we follow forwarding to the leader.
var conn *websocket.Conn
var resp *http.Response
for attempt := 0; attempt < 10; attempt++ {
var resp *http.Response
conn, resp, err = websocket.Dial(ctx, wsURL, &websocket.DialOptions{
HTTPClient: httpClient,
HTTPHeader: headers,
@ -359,8 +359,13 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
}
if err != nil {
if resp != nil {
if resp.StatusCode == http.StatusNotFound {
return nil, fmt.Errorf("received 404 when opening web socket to %s, ensure Vault is Enterprise version 1.16 or above", wsURL)
}
}
return nil, fmt.Errorf("error returned when opening event stream web socket to %s, ensure auto-auth token"+
" has correct permissions and Vault is version 1.16 or above: %w", wsURL, err)
" has correct permissions and Vault is Enterprise version 1.16 or above: %w", wsURL, err)
}
if conn == nil {
@ -408,7 +413,7 @@ tokenLoop:
}
err := updater.streamStaticSecretEvents(ctx)
if err != nil {
updater.logger.Warn("error occurred during streaming static secret cache update events:", err)
updater.logger.Error("error occurred during streaming static secret cache update events", "err", err)
shouldBackoff = true
continue
}

15
command/agentproxyshared/cache/static_secret_cache_updater_test.go vendored
View File

@ -135,11 +135,9 @@ func TestNewStaticSecretCacheUpdater(t *testing.T) {
}
// TestOpenWebSocketConnection tests that the openWebSocketConnection function
// works as expected. This uses a TLS enabled (wss) WebSocket connection.
// works as expected (fails on CE, succeeds on ent).
// This uses a TLS enabled (wss) WebSocket connection.
func TestOpenWebSocketConnection(t *testing.T) {
if !constants.IsEnterprise {
t.Skip("test can only run on enterprise due to requiring the event notification system")
}
t.Parallel()
// We need a valid cluster for the connection to succeed.
cluster := minimal.NewTestSoloCluster(t, nil)
@ -149,10 +147,13 @@ func TestOpenWebSocketConnection(t *testing.T) {
updater.tokenSink.WriteToken(client.Token())
conn, err := updater.openWebSocketConnection(context.Background())
if err != nil {
t.Fatal(err)
if constants.IsEnterprise {
require.NoError(t, err)
require.NotNil(t, conn)
} else {
require.Nil(t, conn)
require.Errorf(t, err, "ensure Vault is Enterprise version 1.16 or above")
}
require.NotNil(t, conn)
}
// TestOpenWebSocketConnectionReceivesEventsDefaultMount tests that the openWebSocketConnection function