mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-11 00:57:00 +02:00
07927e036c
* enable registering backend muxed plugins in plugin catalog * set the sysview on the pluginconfig to allow enabling secrets/auth plugins * store backend instances in map * store single implementations in the instances map cleanup instance map and ensure we don't deadlock * fix system backend unit tests move GetMultiplexIDFromContext to pluginutil package fix pluginutil test fix dbplugin ut * return error(s) if we can't get the plugin client update comments * refactor/move GetMultiplexIDFromContext test * add changelog * remove unnecessary field on pluginClient * add unit tests to PluginCatalog for secrets/auth plugins * fix comment * return pluginClient from TestRunTestPlugin * add multiplexed backend test * honor metadatamode value in newbackend pluginconfig * check that connection exists on cleanup * add automtls to secrets/auth plugins * don't remove apiclientmeta parsing * use formatting directive for fmt.Errorf * fix ut: remove tls provider func * remove tlsproviderfunc from backend plugin tests * use env var to prevent test plugin from running as a unit test * WIP: remove lazy loading * move non lazy loaded backend to new package * use version wrapper for backend plugin factory * remove backendVersionWrapper type * implement getBackendPluginType for plugin catalog * handle backend plugin v4 registration * add plugin automtls env guard * modify plugin factory to determine the backend to use * remove old pluginsets from v5 and log pid in plugin catalog * add reload mechanism via context * readd v3 and v4 to pluginset * call cleanup from reload if non-muxed * move v5 backend code to new package * use context reload for for ErrPluginShutdown case * add wrapper on v5 backend * fix run config UTs * fix unit tests - use v4/v5 mapping for plugin versions - fix test build err - add reload method on fakePluginClient - add multiplexed cases for integration tests * remove comment and update AutoMTLS field in test * remove comment * remove errwrap and unused context * only support metadatamode false for v5 backend plugins * update plugin catalog errors * use const for env variables * rename locks and remove unused * remove unneeded nil check * improvements based on staticcheck recommendations * use const for single implementation string * use const for context key * use info default log level * move pid to pluginClient struct * remove v3 and v4 from multiplexed plugin set * return from reload when non-multiplexed * update automtls env string * combine getBackend and getBrokeredClient * update comments for plugin reload, Backend return val and log * revert Backend return type * allow non-muxed plugins to serve v5 * move v5 code to existing sdk plugin package * do next export sdk fields now that we have removed extra plugin pkg * set TLSProvider in ServeMultiplex for backwards compat * use bool to flag multiplexing support on grpc backend server * revert userpass main.go * refactor plugin sdk - update comments - make use of multiplexing boolean and single implementation ID const * update comment and use multierr * attempt v4 if dispense fails on getPluginTypeForUnknown * update comments on sdk plugin backend
74 lines
2.1 KiB
Go
74 lines
2.1 KiB
Go
package pluginutil
|
|
|
|
import (
|
|
"os"
|
|
|
|
"github.com/hashicorp/go-secure-stdlib/mlock"
|
|
version "github.com/hashicorp/go-version"
|
|
)
|
|
|
|
const (
|
|
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
|
|
// setting a TLSProviderFunc for a plugin.
|
|
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"
|
|
|
|
// PluginMlockEnabled is the ENV name used to pass the configuration for
|
|
// enabling mlock
|
|
PluginMlockEnabled = "VAULT_PLUGIN_MLOCK_ENABLED"
|
|
|
|
// PluginVaultVersionEnv is the ENV name used to pass the version of the
|
|
// vault server to the plugin
|
|
PluginVaultVersionEnv = "VAULT_VERSION"
|
|
|
|
// PluginMetadataModeEnv is an ENV name used to disable TLS communication
|
|
// to bootstrap mounting plugins.
|
|
PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
|
|
|
|
// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
|
|
// plugin.
|
|
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
|
|
|
|
// PluginCACertPEMEnv is an ENV name used for holding a CA PEM-encoded
|
|
// string. Used for testing.
|
|
PluginCACertPEMEnv = "VAULT_TESTING_PLUGIN_CA_PEM"
|
|
)
|
|
|
|
// OptionallyEnableMlock determines if mlock should be called, and if so enables
|
|
// mlock.
|
|
func OptionallyEnableMlock() error {
|
|
if os.Getenv(PluginMlockEnabled) == "true" {
|
|
return mlock.LockMemory()
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GRPCSupport defaults to returning true, unless VAULT_VERSION is missing or
|
|
// it fails to meet the version constraint.
|
|
func GRPCSupport() bool {
|
|
verString := os.Getenv(PluginVaultVersionEnv)
|
|
// If the env var is empty, we fall back to netrpc for backward compatibility.
|
|
if verString == "" {
|
|
return false
|
|
}
|
|
if verString != "unknown" {
|
|
ver, err := version.NewVersion(verString)
|
|
if err != nil {
|
|
return true
|
|
}
|
|
// Due to some regressions on 0.9.2 & 0.9.3 we now require version 0.9.4
|
|
// to allow the plugin framework to default to gRPC.
|
|
constraint, err := version.NewConstraint(">= 0.9.4")
|
|
if err != nil {
|
|
return true
|
|
}
|
|
return constraint.Check(ver)
|
|
}
|
|
return true
|
|
}
|
|
|
|
// InMetadataMode returns true if the plugin calling this function is running in metadata mode.
|
|
func InMetadataMode() bool {
|
|
return os.Getenv(PluginMetadataModeEnv) == "true"
|
|
}
|