mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-09 08:07:01 +02:00
39bcd5c715
* use automtls for v5 secrets/auth plugins * add automtls env guard * start backend without metadata mode * use PluginClientConfig for backend's NewPluginClient param refactor * - fix pluginutil test - do not expect plugin to be unloaded in UT - fix pluginutil tests --need new env var - use require in UT - fix lazy load test * add changelog * prioritize automtls; improve comments * user multierror; refactor pluginSet for v4 unit test * add test cases for v4 and v5 plugin versions * remove unnecessary call to AutoMTLSSupported * update comment on pluginSets * use runconfig directly in sdk newpluginclient * use automtls without metadatamode for v5 backend plugin registration * use multierror for plugin runconfig calls * remove some unnecessary code
101 lines
2.6 KiB
Go
101 lines
2.6 KiB
Go
package plugin
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"math"
|
|
"os"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
log "github.com/hashicorp/go-hclog"
|
|
plugin "github.com/hashicorp/go-plugin"
|
|
"github.com/hashicorp/vault/sdk/helper/pluginutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
// BackendPluginName is the name of the plugin that can be
|
|
// dispensed from the plugin server.
|
|
const BackendPluginName = "backend"
|
|
|
|
type TLSProviderFunc func() (*tls.Config, error)
|
|
|
|
type ServeOpts struct {
|
|
BackendFactoryFunc logical.Factory
|
|
TLSProviderFunc TLSProviderFunc
|
|
Logger log.Logger
|
|
}
|
|
|
|
// Serve is a helper function used to serve a backend plugin. This
|
|
// should be ran on the plugin's main process.
|
|
func Serve(opts *ServeOpts) error {
|
|
logger := opts.Logger
|
|
if logger == nil {
|
|
logger = log.New(&log.LoggerOptions{
|
|
Level: log.Trace,
|
|
Output: os.Stderr,
|
|
JSONFormat: true,
|
|
})
|
|
}
|
|
|
|
// pluginSets is the map of plugins we can dispense.
|
|
pluginSets := map[int]plugin.PluginSet{
|
|
// Version 3 used to supports both protocols. We want to keep it around
|
|
// since it's possible old plugins built against this version will still
|
|
// work with gRPC. There is currently no difference between version 3
|
|
// and version 4.
|
|
// AutoMTLS is not supported by versions lower than 5.
|
|
3: {
|
|
"backend": &GRPCBackendPlugin{
|
|
Factory: opts.BackendFactoryFunc,
|
|
Logger: logger,
|
|
},
|
|
},
|
|
4: {
|
|
"backend": &GRPCBackendPlugin{
|
|
Factory: opts.BackendFactoryFunc,
|
|
Logger: logger,
|
|
},
|
|
},
|
|
5: {
|
|
"backend": &GRPCBackendPlugin{
|
|
Factory: opts.BackendFactoryFunc,
|
|
Logger: logger,
|
|
AutoMTLSSupported: true,
|
|
},
|
|
},
|
|
}
|
|
|
|
err := pluginutil.OptionallyEnableMlock()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
serveOpts := &plugin.ServeConfig{
|
|
HandshakeConfig: handshakeConfig,
|
|
VersionedPlugins: pluginSets,
|
|
TLSProvider: opts.TLSProviderFunc,
|
|
Logger: logger,
|
|
|
|
// A non-nil value here enables gRPC serving for this plugin...
|
|
GRPCServer: func(opts []grpc.ServerOption) *grpc.Server {
|
|
opts = append(opts, grpc.MaxRecvMsgSize(math.MaxInt32))
|
|
opts = append(opts, grpc.MaxSendMsgSize(math.MaxInt32))
|
|
return plugin.DefaultGRPCServer(opts)
|
|
},
|
|
}
|
|
|
|
plugin.Serve(serveOpts)
|
|
|
|
return nil
|
|
}
|
|
|
|
// handshakeConfigs are used to just do a basic handshake between
|
|
// a plugin and host. If the handshake fails, a user friendly error is shown.
|
|
// This prevents users from executing bad plugins or executing a plugin
|
|
// directory. It is a UX feature, not a security feature.
|
|
var handshakeConfig = plugin.HandshakeConfig{
|
|
ProtocolVersion: 4,
|
|
MagicCookieKey: "VAULT_BACKEND_PLUGIN",
|
|
MagicCookieValue: "6669da05-b1c8-4f49-97d9-c8e5bed98e20",
|
|
}
|