mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-13 18:17:02 +02:00
1e132479f0
* VAULT-19237 Add mount_type to secret response * VAULT-19237 changelog * VAULT-19237 make MountType generic * VAULT-19237 clean up comment * VAULT-19237 update changelog * VAULT-19237 update test, remove mounttype from wrapped responses * VAULT-19237 fix a lot of tests * VAULT-19237 standby test * ensure -log-level is added to core config (#23017) * Feature/document tls servername (#22714) * Add Raft TLS Helm examples Co-authored-by: Pascal Reeb <pascal.reeb@adfinis.com> --------- * Clean up unused CRL entries when issuer is removed (#23007) * Clean up unused CRL entries when issuer is removed When a issuer is removed, the space utilized by its CRL was not freed, both from the CRL config mapping issuer IDs to CRL IDs and from the CRL storage entry. We thus implement a two step cleanup, wherein orphaned CRL IDs are removed from the config and any remaining full CRL entries are removed from disk. This relates to a Consul<->Vault interop issue (#22980), wherein Consul creates a new issuer on every leadership election, causing this config to grow. Deleting issuers manually does not entirely solve this problem as the config does not fully reclaim space used in this entry. Notably, an observation that when deleting issuers, the CRL was rebuilt on secondary clusters (due to the invalidation not caring about type of the operation); for consistency and to clean up the unified CRLs, we also need to run the rebuild on the active primary cluster that deleted the issuer as well. This approach does allow cleanup on existing impacted clusters by simply rebuilding the CRL. Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test case on CRL removal Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * UI: Handle control group error on SSH (#23025) * Handle control group error on SSH * Add changelog * Fix enterprise failure of TestCRLIssuerRemoval (#23038) This fixes the enterprise failure of the test ``` === FAIL: builtin/logical/pki TestCRLIssuerRemoval (0.00s) crl_test.go:1456: Error Trace: /home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/builtin/logical/pki/crl_test.go:1456 Error: Received unexpected error: Global, cross-cluster revocation queue cannot be enabled when auto rebuilding is disabled as the local cluster may not have the certificate entry! Test: TestCRLIssuerRemoval Messages: failed enabling unified CRLs on enterprise ``` * fix LDAP auto auth changelog (#23027) * VAULT-19233 First part of caching static secrets work * VAULT-19233 update godoc * VAULT-19233 invalidate cache on non-GET * VAULT-19233 add locking to proxy cache writes * VAULT-19233 add caching of capabilities map, and some additional test coverage * VAULT-19233 Additional testing * VAULT-19233 namespaces for cache ids * VAULT-19233 cache-clear testing and implementation * VAULT-19233 adjust format, add more tests * VAULT-19233 some more docs * VAULT-19233 Add RLock holding for map access * VAULT-19233 PR comments * VAULT-19233 Different table for capabilities indexes * VAULT-19233 keep unique for request path * VAULT-19233 passthrough for non-v1 requests * VAULT-19233 some renames/PR comment updates * VAULT-19233 remove type from capabilities index * VAULT-19233 remove obsolete capabilities * VAULT-19233 remove erroneous capabilities * VAULT-19233 woops, missed a test * VAULT-19233 typo * VAULT-19233 add custom error for cachememdb * VAULT-19233 fix cachememdb test --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com> Co-authored-by: Andreas Gruhler <andreas.gruhler@adfinis.com> Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
115 lines
2.8 KiB
Go
115 lines
2.8 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package cache
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"math/rand"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/helper/useragent"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
)
|
|
|
|
// mockProxier is a mock implementation of the Proxier interface, used for testing purposes.
|
|
// The mock will return the provided responses every time it reaches its Send method, up to
|
|
// the last provided response. This lets tests control what the next/underlying Proxier layer
|
|
// might expect to return.
|
|
type mockProxier struct {
|
|
proxiedResponses []*SendResponse
|
|
responseIndex int
|
|
}
|
|
|
|
func NewMockProxier(responses []*SendResponse) *mockProxier {
|
|
return &mockProxier{
|
|
proxiedResponses: responses,
|
|
}
|
|
}
|
|
|
|
func (p *mockProxier) Send(ctx context.Context, req *SendRequest) (*SendResponse, error) {
|
|
if p.responseIndex >= len(p.proxiedResponses) {
|
|
return nil, fmt.Errorf("index out of bounds: responseIndex = %d, responses = %d", p.responseIndex, len(p.proxiedResponses))
|
|
}
|
|
resp := p.proxiedResponses[p.responseIndex]
|
|
|
|
p.responseIndex++
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (p *mockProxier) ResponseIndex() int {
|
|
return p.responseIndex
|
|
}
|
|
|
|
func newTestSendResponse(status int, body string) *SendResponse {
|
|
headers := make(http.Header)
|
|
headers.Add("User-Agent", useragent.AgentProxyString())
|
|
resp := &SendResponse{
|
|
Response: &api.Response{
|
|
Response: &http.Response{
|
|
StatusCode: status,
|
|
Header: headers,
|
|
},
|
|
},
|
|
}
|
|
resp.Response.Header.Set("Date", time.Now().Format(http.TimeFormat))
|
|
|
|
if body != "" {
|
|
resp.Response.Body = io.NopCloser(strings.NewReader(body))
|
|
resp.ResponseBody = []byte(body)
|
|
}
|
|
|
|
if json.Valid([]byte(body)) {
|
|
resp.Response.Header.Set("content-type", "application/json")
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
type mockTokenVerifierProxier struct {
|
|
currentToken string
|
|
}
|
|
|
|
func (p *mockTokenVerifierProxier) Send(ctx context.Context, req *SendRequest) (*SendResponse, error) {
|
|
p.currentToken = req.Token
|
|
resp := newTestSendResponse(http.StatusOK,
|
|
`{"data": {"id": "`+p.currentToken+`"}}`)
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (p *mockTokenVerifierProxier) GetCurrentRequestToken() string {
|
|
return p.currentToken
|
|
}
|
|
|
|
type mockDelayProxier struct {
|
|
cacheableResp bool
|
|
delay int
|
|
}
|
|
|
|
func (p *mockDelayProxier) Send(ctx context.Context, req *SendRequest) (*SendResponse, error) {
|
|
if p.delay > 0 {
|
|
select {
|
|
case <-ctx.Done():
|
|
return nil, ctx.Err()
|
|
case <-time.After(time.Duration(p.delay) * time.Millisecond):
|
|
}
|
|
}
|
|
|
|
// If this is a cacheable response, we return a unique response every time
|
|
if p.cacheableResp {
|
|
rand.Seed(time.Now().Unix())
|
|
s := fmt.Sprintf(`{"lease_id": "%d", "renewable": true, "data": {"foo": "bar"}}`, rand.Int())
|
|
return newTestSendResponse(http.StatusOK, s), nil
|
|
}
|
|
|
|
return newTestSendResponse(http.StatusOK, `{"value": "output"}`), nil
|
|
}
|