From fd2c737c5156a20d7cb753c6459014f27596dc84 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Fri, 3 Nov 2023 10:24:43 -0400 Subject: [PATCH] Fix lifetime watcher user agent reporting Vault Agent for Vault Proxy requests (#23944) --- command/agent.go | 24 +++++++++---------- command/agent/cache_end_to_end_test.go | 9 +++---- .../agentproxyshared/cache/api_proxy_test.go | 9 +++---- command/agentproxyshared/cache/lease_cache.go | 18 ++++++++++---- .../cache/lease_cache_test.go | 3 +++ command/agentproxyshared/helpers_test.go | 9 +++---- command/proxy.go | 1 + 7 files changed, 44 insertions(+), 29 deletions(-) diff --git a/command/agent.go b/command/agent.go index c59a852f1e..7c2de32886 100644 --- a/command/agent.go +++ b/command/agent.go @@ -25,14 +25,6 @@ import ( "github.com/hashicorp/go-secure-stdlib/gatedwriter" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/go-secure-stdlib/reloadutil" - "github.com/kr/pretty" - "github.com/mitchellh/cli" - "github.com/oklog/run" - "github.com/posener/complete" - "golang.org/x/text/cases" - "golang.org/x/text/language" - "google.golang.org/grpc/test/bufconn" - "github.com/hashicorp/vault/api" agentConfig "github.com/hashicorp/vault/command/agent/config" "github.com/hashicorp/vault/command/agent/exec" @@ -52,6 +44,13 @@ import ( "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/version" + "github.com/kr/pretty" + "github.com/mitchellh/cli" + "github.com/oklog/run" + "github.com/posener/complete" + "golang.org/x/text/cases" + "golang.org/x/text/language" + "google.golang.org/grpc/test/bufconn" ) var ( @@ -490,10 +489,11 @@ func (c *AgentCommand) Run(args []string) int { // Create the lease cache proxier and set its underlying proxier to // the API proxier. leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{ - Client: proxyClient, - BaseContext: ctx, - Proxier: apiProxy, - Logger: cacheLogger.Named("leasecache"), + Client: proxyClient, + BaseContext: ctx, + Proxier: apiProxy, + Logger: cacheLogger.Named("leasecache"), + UserAgentToUse: useragent.ProxyAPIProxyString(), }) if err != nil { c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err)) diff --git a/command/agent/cache_end_to_end_test.go b/command/agent/cache_end_to_end_test.go index 7ddd7f0d73..bd0a8555ed 100644 --- a/command/agent/cache_end_to_end_test.go +++ b/command/agent/cache_end_to_end_test.go @@ -176,10 +176,11 @@ func TestCache_UsingAutoAuthToken(t *testing.T) { // Create the lease cache proxier and set its underlying proxier to // the API proxier. leaseCache, err := cache.NewLeaseCache(&cache.LeaseCacheConfig{ - Client: client, - BaseContext: ctx, - Proxier: apiProxy, - Logger: cacheLogger.Named("leasecache"), + Client: client, + BaseContext: ctx, + Proxier: apiProxy, + Logger: cacheLogger.Named("leasecache"), + UserAgentToUse: "test", }) if err != nil { t.Fatal(err) diff --git a/command/agentproxyshared/cache/api_proxy_test.go b/command/agentproxyshared/cache/api_proxy_test.go index 1350512e01..48252f68d0 100644 --- a/command/agentproxyshared/cache/api_proxy_test.go +++ b/command/agentproxyshared/cache/api_proxy_test.go @@ -272,10 +272,11 @@ func setupClusterAndAgentCommon(ctx context.Context, t *testing.T, coreConfig *v // Create the lease cache proxier and set its underlying proxier to // the API proxier. leaseCache, err = NewLeaseCache(&LeaseCacheConfig{ - Client: clienToUse, - BaseContext: ctx, - Proxier: apiProxy, - Logger: cacheLogger.Named("leasecache"), + Client: clienToUse, + BaseContext: ctx, + Proxier: apiProxy, + Logger: cacheLogger.Named("leasecache"), + UserAgentToUse: "test", }) if err != nil { t.Fatal(err) diff --git a/command/agentproxyshared/cache/lease_cache.go b/command/agentproxyshared/cache/lease_cache.go index 0db186d580..79beb94aa2 100644 --- a/command/agentproxyshared/cache/lease_cache.go +++ b/command/agentproxyshared/cache/lease_cache.go @@ -26,7 +26,6 @@ import ( "github.com/hashicorp/vault/command/agentproxyshared/cache/cachememdb" "github.com/hashicorp/vault/helper/namespace" nshelper "github.com/hashicorp/vault/helper/namespace" - "github.com/hashicorp/vault/helper/useragent" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/cryptoutil" @@ -85,6 +84,10 @@ type LeaseCache struct { baseCtxInfo *cachememdb.ContextInfo l *sync.RWMutex + // userAgentToUse is the user agent to use when making independent requests + // to Vault. + userAgentToUse string + // idLocks is used during cache lookup to ensure that identical requests made // in parallel won't trigger multiple renewal goroutines. idLocks []*locksutil.LockEntry @@ -115,6 +118,7 @@ type LeaseCacheConfig struct { BaseContext context.Context Proxier Proxier Logger hclog.Logger + UserAgentToUse string Storage *cacheboltdb.BoltStorage CacheStaticSecrets bool } @@ -150,6 +154,10 @@ func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error) { return nil, fmt.Errorf("nil API client") } + if conf.UserAgentToUse == "" { + return nil, fmt.Errorf("no user agent specified -- see useragent.go") + } + db, err := cachememdb.New() if err != nil { return nil, err @@ -162,6 +170,7 @@ func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error) { client: conf.Client, proxier: conf.Proxier, logger: conf.Logger, + userAgentToUse: conf.UserAgentToUse, db: db, baseCtxInfo: baseCtxInfo, l: &sync.RWMutex{}, @@ -738,11 +747,10 @@ func (c *LeaseCache) startRenewing(ctx context.Context, index *cachememdb.Index, headers = make(http.Header) } - // We do not preserve the initial User-Agent here (i.e. use - // AgentProxyStringWithProxiedUserAgent) since these requests are from - // the proxy subsystem, but are made by Agent's lifetime watcher, + // We do not preserve any initial User-Agent here since these requests are from + // the proxy subsystem, but are made by the lease cache's lifetime watcher, // not triggered by a specific request. - headers.Set("User-Agent", useragent.AgentProxyString()) + headers.Set("User-Agent", c.userAgentToUse) client.SetHeaders(headers) watcher, err := client.NewLifetimeWatcher(&api.LifetimeWatcherInput{ diff --git a/command/agentproxyshared/cache/lease_cache_test.go b/command/agentproxyshared/cache/lease_cache_test.go index 6ede59e01e..45972b6918 100644 --- a/command/agentproxyshared/cache/lease_cache_test.go +++ b/command/agentproxyshared/cache/lease_cache_test.go @@ -48,6 +48,7 @@ func testNewLeaseCache(t *testing.T, responses []*SendResponse) *LeaseCache { Proxier: NewMockProxier(responses), Logger: logging.NewVaultLogger(hclog.Trace).Named("cache.leasecache"), CacheStaticSecrets: true, + UserAgentToUse: "test", }) if err != nil { t.Fatal(err) @@ -69,6 +70,7 @@ func testNewLeaseCacheWithDelay(t *testing.T, cacheable bool, delay int) *LeaseC Proxier: &mockDelayProxier{cacheable, delay}, Logger: logging.NewVaultLogger(hclog.Trace).Named("cache.leasecache"), CacheStaticSecrets: true, + UserAgentToUse: "test", }) if err != nil { t.Fatal(err) @@ -90,6 +92,7 @@ func testNewLeaseCacheWithPersistence(t *testing.T, responses []*SendResponse, s Logger: logging.NewVaultLogger(hclog.Trace).Named("cache.leasecache"), Storage: storage, CacheStaticSecrets: true, + UserAgentToUse: "test", }) require.NoError(t, err) diff --git a/command/agentproxyshared/helpers_test.go b/command/agentproxyshared/helpers_test.go index 2e5244f525..9838497111 100644 --- a/command/agentproxyshared/helpers_test.go +++ b/command/agentproxyshared/helpers_test.go @@ -22,10 +22,11 @@ func testNewLeaseCache(t *testing.T, responses []*cache.SendResponse) *cache.Lea t.Fatal(err) } lc, err := cache.NewLeaseCache(&cache.LeaseCacheConfig{ - Client: client, - BaseContext: context.Background(), - Proxier: cache.NewMockProxier(responses), - Logger: logging.NewVaultLogger(hclog.Trace).Named("cache.leasecache"), + Client: client, + BaseContext: context.Background(), + Proxier: cache.NewMockProxier(responses), + Logger: logging.NewVaultLogger(hclog.Trace).Named("cache.leasecache"), + UserAgentToUse: "test", }) if err != nil { t.Fatal(err) diff --git a/command/proxy.go b/command/proxy.go index 2d7c74bf05..890eee6cfc 100644 --- a/command/proxy.go +++ b/command/proxy.go @@ -447,6 +447,7 @@ func (c *ProxyCommand) Run(args []string) int { Proxier: apiProxy, Logger: cacheLogger.Named("leasecache"), CacheStaticSecrets: config.Cache.CacheStaticSecrets, + UserAgentToUse: useragent.AgentProxyString(), }) if err != nil { c.UI.Error(fmt.Sprintf("Error creating lease cache: %v", err))