mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-01 19:17:58 +00:00
gRPC Backend Plugins (#3808)
* Add grpc plugins * Add grpc plugins * Translate wrap info to/from proto * Add nil checks * Fix nil marshaling errors * Provide logging through the go-plugin logger * handle errors in the messages * Update the TLS config so bidirectional connections work * Add connectivity checks * Restart plugin and add timeouts where context is not availible * Add the response wrap data into the grpc system implementation * Add leaseoptions to pb.Auth * Add an error translator * Add tests for translating the proto objects * Fix rename of function * Add tracing to plugins for easier debugging * Handle plugin crashes with the go-plugin context * Add test for grpcStorage * Add tests for backend and system * Bump go-plugin for GRPCBroker * Remove RegisterLicense * Add casing translations for new proto messages * Use doneCtx in grpcClient * Use doneCtx in grpcClient * s/shutdown/shut down/
This commit is contained in:
Brian Kassouf
202
logical/plugin/grpc_system.go
Normal file
202
logical/plugin/grpc_system.go
Normal file
@@ -0,0 +1,202 @@
|
||||
package plugin
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/helper/consts"
|
||||
"github.com/hashicorp/vault/helper/pluginutil"
|
||||
"github.com/hashicorp/vault/helper/wrapping"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/hashicorp/vault/logical/plugin/pb"
|
||||
)
|
||||
|
||||
func newGRPCSystemView(conn *grpc.ClientConn) *gRPCSystemViewClient {
|
||||
return &gRPCSystemViewClient{
|
||||
client: pb.NewSystemViewClient(conn),
|
||||
}
|
||||
}
|
||||
|
||||
type gRPCSystemViewClient struct {
|
||||
client pb.SystemViewClient
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) DefaultLeaseTTL() time.Duration {
|
||||
reply, err := s.client.DefaultLeaseTTL(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
|
||||
return time.Duration(reply.TTL)
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) MaxLeaseTTL() time.Duration {
|
||||
reply, err := s.client.MaxLeaseTTL(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
|
||||
return time.Duration(reply.TTL)
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) SudoPrivilege(path string, token string) bool {
|
||||
reply, err := s.client.SudoPrivilege(context.Background(), &pb.SudoPrivilegeArgs{
|
||||
Path: path,
|
||||
Token: token,
|
||||
})
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return reply.Sudo
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) Tainted() bool {
|
||||
reply, err := s.client.Tainted(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return reply.Tainted
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) CachingDisabled() bool {
|
||||
reply, err := s.client.CachingDisabled(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return reply.Disabled
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) ReplicationState() consts.ReplicationState {
|
||||
reply, err := s.client.ReplicationState(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return consts.ReplicationDisabled
|
||||
}
|
||||
|
||||
return consts.ReplicationState(reply.State)
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
|
||||
buf, err := json.Marshal(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
reply, err := s.client.ResponseWrapData(context.Background(), &pb.ResponseWrapDataArgs{
|
||||
Data: buf,
|
||||
TTL: int64(ttl),
|
||||
JWT: false,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if reply.Err != "" {
|
||||
return nil, errors.New(reply.Err)
|
||||
}
|
||||
|
||||
info, err := pb.ProtoResponseWrapInfoToLogicalResponseWrapInfo(reply.WrapInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return info, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) LookupPlugin(name string) (*pluginutil.PluginRunner, error) {
|
||||
return nil, fmt.Errorf("cannot call LookupPlugin from a plugin backend")
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewClient) MlockEnabled() bool {
|
||||
reply, err := s.client.MlockEnabled(context.Background(), &pb.Empty{})
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return reply.Enabled
|
||||
}
|
||||
|
||||
type gRPCSystemViewServer struct {
|
||||
impl logical.SystemView
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) DefaultLeaseTTL(ctx context.Context, _ *pb.Empty) (*pb.TTLReply, error) {
|
||||
ttl := s.impl.DefaultLeaseTTL()
|
||||
return &pb.TTLReply{
|
||||
TTL: int64(ttl),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) MaxLeaseTTL(ctx context.Context, _ *pb.Empty) (*pb.TTLReply, error) {
|
||||
ttl := s.impl.MaxLeaseTTL()
|
||||
return &pb.TTLReply{
|
||||
TTL: int64(ttl),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) SudoPrivilege(ctx context.Context, args *pb.SudoPrivilegeArgs) (*pb.SudoPrivilegeReply, error) {
|
||||
sudo := s.impl.SudoPrivilege(args.Path, args.Token)
|
||||
return &pb.SudoPrivilegeReply{
|
||||
Sudo: sudo,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) Tainted(ctx context.Context, _ *pb.Empty) (*pb.TaintedReply, error) {
|
||||
tainted := s.impl.Tainted()
|
||||
return &pb.TaintedReply{
|
||||
Tainted: tainted,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) CachingDisabled(ctx context.Context, _ *pb.Empty) (*pb.CachingDisabledReply, error) {
|
||||
cachingDisabled := s.impl.CachingDisabled()
|
||||
return &pb.CachingDisabledReply{
|
||||
Disabled: cachingDisabled,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) ReplicationState(ctx context.Context, _ *pb.Empty) (*pb.ReplicationStateReply, error) {
|
||||
replicationState := s.impl.ReplicationState()
|
||||
return &pb.ReplicationStateReply{
|
||||
State: int32(replicationState),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) ResponseWrapData(ctx context.Context, args *pb.ResponseWrapDataArgs) (*pb.ResponseWrapDataReply, error) {
|
||||
data := map[string]interface{}{}
|
||||
err := json.Unmarshal(args.Data, &data)
|
||||
if err != nil {
|
||||
return &pb.ResponseWrapDataReply{}, err
|
||||
}
|
||||
|
||||
// Do not allow JWTs to be returned
|
||||
info, err := s.impl.ResponseWrapData(data, time.Duration(args.TTL), false)
|
||||
if err != nil {
|
||||
return &pb.ResponseWrapDataReply{
|
||||
Err: pb.ErrToString(err),
|
||||
}, nil
|
||||
}
|
||||
|
||||
pbInfo, err := pb.LogicalResponseWrapInfoToProtoResponseWrapInfo(info)
|
||||
if err != nil {
|
||||
return &pb.ResponseWrapDataReply{}, err
|
||||
}
|
||||
|
||||
return &pb.ResponseWrapDataReply{
|
||||
WrapInfo: pbInfo,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *gRPCSystemViewServer) MlockEnabled(ctx context.Context, _ *pb.Empty) (*pb.MlockEnabledReply, error) {
|
||||
enabled := s.impl.MlockEnabled()
|
||||
return &pb.MlockEnabledReply{
|
||||
Enabled: enabled,
|
||||
}, nil
|
||||
}
|
||||
Reference in New Issue
Block a user