scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix rotation_window bug in error path (#22699)

Browse Source
This commit is contained in:
John-Michael Faircloth
2023-08-31 15:45:01 -05:00
committed by GitHub
parent 08574508c8
commit 16f805419f
2 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
builtin/logical/database/path_roles.go
View File

@@ -837,7 +837,7 @@ func (s *staticAccount) NextRotationTime() time.Time {
if s.UsesRotationPeriod() { if s.UsesRotationPeriod() {
return s.LastVaultRotation.Add(s.RotationPeriod) return s.LastVaultRotation.Add(s.RotationPeriod)
} }
return s.Schedule.Next(s.LastVaultRotation) return s.Schedule.Next(time.Now())
} }
// NextRotationTimeFromInput calculates the next rotation time for period and // NextRotationTimeFromInput calculates the next rotation time for period and
@@ -879,10 +879,9 @@ func (s *staticAccount) IsInsideRotationWindow(t time.Time) bool {
// //
// This will return true when the priority <= the current Unix time. If this // This will return true when the priority <= the current Unix time. If this
// static account is schedule-based with a rotation window, this method will // static account is schedule-based with a rotation window, this method will
// return false if now is outside the rotation window. // return false if t is outside the rotation window.
func (s *staticAccount) ShouldRotate(priority int64) bool { func (s *staticAccount) ShouldRotate(priority int64, t time.Time) bool {
now := time.Now() return priority <= t.Unix() && s.IsInsideRotationWindow(t)
return priority <= now.Unix() && s.IsInsideRotationWindow(now)
} }
// SetNextVaultRotation // SetNextVaultRotation

33
builtin/logical/database/rotation.go
View File

@@ -217,7 +217,33 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
logger = logger.With("database", role.DBName) logger = logger.With("database", role.DBName)
if !role.StaticAccount.ShouldRotate(item.Priority) { input := &setStaticAccountInput{
RoleName: roleName,
Role: role,
}
now := time.Now()
if !role.StaticAccount.ShouldRotate(item.Priority, now) {
if !role.StaticAccount.IsInsideRotationWindow(now) {
// We are a schedule-based rotation and we are outside a rotation
// window so we update priority and NextVaultRotation
item.Priority = role.StaticAccount.NextRotationTimeFromInput(now).Unix()
role.StaticAccount.SetNextVaultRotation(now)
b.logger.Trace("outside schedule-based rotation window, update priority", "next", role.StaticAccount.NextRotationTime())
// write to storage after updating NextVaultRotation so the next
// time this item is checked for rotation our role that we retrieve
// from storage reflects that change
entry, err := logical.StorageEntryJSON(databaseStaticRolePath+input.RoleName, input.Role)
if err != nil {
logger.Error("unable to encode entry for storage", "error", err)
return false
}
if err := s.Put(ctx, entry); err != nil {
logger.Error("unable to write to storage", "error", err)
return false
}
}
// do not rotate now, push item back onto queue to be rotated later // do not rotate now, push item back onto queue to be rotated later
if err := b.pushItem(item); err != nil { if err := b.pushItem(item); err != nil {
logger.Error("unable to push item on to queue", "error", err) logger.Error("unable to push item on to queue", "error", err)
@@ -226,11 +252,6 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
return false return false
} }
input := &setStaticAccountInput{
RoleName: roleName,
Role: role,
}
// If there is a WAL entry related to this Role, the corresponding WAL ID // If there is a WAL entry related to this Role, the corresponding WAL ID
// should be stored in the Item's Value field. // should be stored in the Item's Value field.
if walID, ok := item.Value.(string); ok { if walID, ok := item.Value.(string); ok {