scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support running plugins in isolated containers (#22712)

Browse Source 
Implements running plugins in containers to give them some degree
of isolation from the main Vault process and other plugins. It only
supports running on Linux initially, where it is easiest to manage unix
socket communication across the container boundary.

Additionally

* Adds -env arg to vault plugin register.
* Don't return env from 'vault plugin info'

Historically it's been omitted, and it could conceivably have secret information in
it, so if we want to return it in the response, it should probably only be via explicit
opt-in. Skipping for now though as it's not the main purpose of the commit.
This commit is contained in:
Tom Proctor
2023-09-01 18:55:17 +01:00
committed by GitHub
parent c26aa9cb9e
commit 07e76196ba
19 changed files with 879 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
command/plugin_info.go
View File

@@ -126,6 +126,7 @@ func (c *PluginInfoCommand) Run(args []string) int {
"args": resp.Args,
"builtin": resp.Builtin,
"command": resp.Command,
"oci_image": resp.OCIImage,
"name": resp.Name,
"sha256": resp.SHA256,
"deprecation_status": resp.DeprecationStatus,

52
command/plugin_register.go
View File

@@ -20,10 +20,12 @@ var (
type PluginRegisterCommand struct {
*BaseCommand
flagArgs []string
flagCommand string
flagSHA256 string
flagVersion string
flagArgs []string
flagCommand string
flagSHA256 string
flagVersion string
flagOCIImage string
flagEnv []string
}
func (c *PluginRegisterCommand) Synopsis() string {
@@ -64,8 +66,8 @@ func (c *PluginRegisterCommand) Flags() *FlagSets {
Name: "args",
Target: &c.flagArgs,
Completion: complete.PredictAnything,
Usage: "Arguments to pass to the plugin when starting. Separate " +
"multiple arguments with a comma.",
Usage: "Argument to pass to the plugin when starting. This " +
"flag can be specified multiple times to specify multiple args.",
})
f.StringVar(&StringVar{
@@ -73,21 +75,37 @@ func (c *PluginRegisterCommand) Flags() *FlagSets {
Target: &c.flagCommand,
Completion: complete.PredictAnything,
Usage: "Command to spawn the plugin. This defaults to the name of the " +
"plugin if unspecified.",
"plugin if both oci_image and command are unspecified.",
})
f.StringVar(&StringVar{
Name: "sha256",
Target: &c.flagSHA256,
Completion: complete.PredictAnything,
Usage: "SHA256 of the plugin binary. This is required for all plugins.",
Usage: "SHA256 of the plugin binary or the oci_image provided. This is required for all plugins.",
})
f.StringVar(&StringVar{
Name: "version",
Target: &c.flagVersion,
Completion: complete.PredictAnything,
Usage: "Semantic version of the plugin. Optional.",
Usage: "Semantic version of the plugin. Used as the tag when specifying oci_image, but with any leading 'v' trimmed. Optional.",
})
f.StringVar(&StringVar{
Name: "oci_image",
Target: &c.flagOCIImage,
Completion: complete.PredictAnything,
Usage: "OCI image to run. If specified, setting command, args, and env will update the " +
"container's entrypoint, args, and environment variables (append-only) respectively.",
})
f.StringSliceVar(&StringSliceVar{
Name: "env",
Target: &c.flagEnv,
Completion: complete.PredictAnything,
Usage: "Environment variables to set for the plugin when starting. This " +
"flag can be specified multiple times to specify multiple environment variables.",
})
return set
@@ -145,17 +163,19 @@ func (c *PluginRegisterCommand) Run(args []string) int {
pluginName := strings.TrimSpace(pluginNameRaw)
command := c.flagCommand
if command == "" {
if command == "" && c.flagOCIImage == "" {
command = pluginName
}
if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
Name: pluginName,
Type: pluginType,
Args: c.flagArgs,
Command: command,
SHA256: c.flagSHA256,
Version: c.flagVersion,
Name: pluginName,
Type: pluginType,
Args: c.flagArgs,
Command: command,
SHA256: c.flagSHA256,
Version: c.flagVersion,
OCIImage: c.flagOCIImage,
Env: c.flagEnv,
}); err != nil {
c.UI.Error(fmt.Sprintf("Error registering plugin %s: %s", pluginName, err))
return 2

141
command/plugin_register_test.go
View File

@@ -4,11 +4,16 @@
package command
import (
"encoding/json"
"fmt"
"io"
"net/http"
"reflect"
"sort"
"strings"
"testing"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
"github.com/hashicorp/vault/sdk/helper/consts"
@@ -229,3 +234,139 @@ func TestPluginRegisterCommand_Run(t *testing.T) {
assertNoTabs(t, cmd)
})
}
// TestFlagParsing ensures that flags passed to vault plugin register correctly
// translate into the expected JSON body and request path.
func TestFlagParsing(t *testing.T) {
for name, tc := range map[string]struct {
pluginType api.PluginType
name string
command string
ociImage string
version string
sha256 string
args []string
env []string
expectedPayload string
}{
"minimal": {
pluginType: api.PluginTypeUnknown,
name: "foo",
sha256: "abc123",
expectedPayload: `{"type":0,"command":"foo","sha256":"abc123"}`,
},
"full": {
pluginType: api.PluginTypeCredential,
name: "name",
command: "cmd",
ociImage: "image",
version: "v1.0.0",
sha256: "abc123",
args: []string{"--a=b", "--b=c", "positional"},
env: []string{"x=1", "y=2"},
expectedPayload: `{"type":1,"args":["--a=b","--b=c","positional"],"command":"cmd","sha256":"abc123","version":"v1.0.0","oci_image":"image","env":["x=1","y=2"]}`,
},
"command remains empty if oci_image specified": {
pluginType: api.PluginTypeCredential,
name: "name",
ociImage: "image",
sha256: "abc123",
expectedPayload: `{"type":1,"sha256":"abc123","oci_image":"image"}`,
},
} {
tc := tc
t.Run(name, func(t *testing.T) {
ui, cmd := testPluginRegisterCommand(t)
var requestLogger *recordingRoundTripper
cmd.client, requestLogger = mockClient(t)
var args []string
if tc.command != "" {
args = append(args, "-command="+tc.command)
}
if tc.ociImage != "" {
args = append(args, "-oci_image="+tc.ociImage)
}
if tc.sha256 != "" {
args = append(args, "-sha256="+tc.sha256)
}
if tc.version != "" {
args = append(args, "-version="+tc.version)
}
for _, arg := range tc.args {
args = append(args, "-args="+arg)
}
for _, env := range tc.env {
args = append(args, "-env="+env)
}
if tc.pluginType != api.PluginTypeUnknown {
args = append(args, tc.pluginType.String())
}
args = append(args, tc.name)
t.Log(args)
code := cmd.Run(args)
if exp := 0; code != exp {
t.Fatalf("expected %d to be %d\nstdout: %s\nstderr: %s", code, exp, ui.OutputWriter.String(), ui.ErrorWriter.String())
}
actual := &api.RegisterPluginInput{}
expected := &api.RegisterPluginInput{}
err := json.Unmarshal(requestLogger.body, actual)
if err != nil {
t.Fatal(err)
}
err = json.Unmarshal([]byte(tc.expectedPayload), expected)
if err != nil {
t.Fatal(err)
}
if !reflect.DeepEqual(expected, actual) {
t.Errorf("expected: %s\ngot: %s", tc.expectedPayload, requestLogger.body)
}
expectedPath := fmt.Sprintf("/v1/sys/plugins/catalog/%s/%s", tc.pluginType.String(), tc.name)
if tc.pluginType == api.PluginTypeUnknown {
expectedPath = fmt.Sprintf("/v1/sys/plugins/catalog/%s", tc.name)
}
if requestLogger.path != expectedPath {
t.Errorf("Expected path %s, got %s", expectedPath, requestLogger.path)
}
})
}
}
func mockClient(t *testing.T) (*api.Client, *recordingRoundTripper) {
t.Helper()
config := api.DefaultConfig()
httpClient := cleanhttp.DefaultClient()
roundTripper := &recordingRoundTripper{}
httpClient.Transport = roundTripper
config.HttpClient = httpClient
client, err := api.NewClient(config)
if err != nil {
t.Fatal(err)
}
return client, roundTripper
}
var _ http.RoundTripper = (*recordingRoundTripper)(nil)
type recordingRoundTripper struct {
path string
body []byte
}
func (r *recordingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
r.path = req.URL.Path
defer req.Body.Close()
body, err := io.ReadAll(req.Body)
if err != nil {
return nil, err
}
r.body = body
return &http.Response{
StatusCode: 200,
}, nil
}