correct delete path for tidy operations (#4799)

2025-11-01 19:17:58 +00:00 · 2018-06-19 20:58:12 -04:00
parent fe3404ad46
commit 6734c744fc
3 changed files with 50 additions and 6 deletions
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws/backend_test.go
@@ -371,6 +371,17 @@ func TestBackend_TidyIdentities(t *testing.T) {
 		t.Fatal(err)
 	}

+	expiredIdentityWhitelist := &whitelistIdentity{
+		ExpirationTime: time.Now().Add(-1 * 24 * 365 * time.Hour),
+	}
+	entry, err := logical.StorageEntryJSON("whitelist/identity/id1", expiredIdentityWhitelist)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
 	// test update operation
 	_, err = b.HandleRequest(context.Background(), &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -380,6 +391,17 @@ func TestBackend_TidyIdentities(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// let tidy finish in the background
+	time.Sleep(1 * time.Second)
+
+	entry, err = storage.Get(context.Background(), "whitelist/identity/id1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if entry != nil {
+		t.Fatal("wl tidy did not remove expired entry")
+	}
 }

 func TestBackend_TidyRoleTags(t *testing.T) {
@@ -397,6 +419,17 @@ func TestBackend_TidyRoleTags(t *testing.T) {
 		t.Fatal(err)
 	}

+	expiredIdentityWhitelist := &roleTagBlacklistEntry{
+		ExpirationTime: time.Now().Add(-1 * 24 * 365 * time.Hour),
+	}
+	entry, err := logical.StorageEntryJSON("blacklist/roletag/id1", expiredIdentityWhitelist)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
 	// test update operation
 	_, err = b.HandleRequest(context.Background(), &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -406,6 +439,17 @@ func TestBackend_TidyRoleTags(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// let tidy finish in the background
+	time.Sleep(1 * time.Second)
+
+	entry, err = storage.Get(context.Background(), "blacklist/roletag/id1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if entry != nil {
+		t.Fatal("bl tidy did not remove expired entry")
+	}
 }

 func TestBackend_ConfigClient(t *testing.T) {
--- a/builtin/credential/aws/path_tidy_identity_whitelist.go
+++ b/builtin/credential/aws/path_tidy_identity_whitelist.go
@@ -33,7 +33,7 @@ expiration, before it is removed from the backend storage.`,
 }

 // tidyWhitelistIdentity is used to delete entries in the whitelist that are expired.
-func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage, safety_buffer int) (*logical.Response, error) {
+func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage, safetyBuffer int) (*logical.Response, error) {
 	if !atomic.CompareAndSwapUint32(b.tidyWhitelistCASGuard, 0, 1) {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation already in progress.")
@@ -48,7 +48,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,

 		logger := b.Logger().Named("wltidy")

-		bufferDuration := time.Duration(safety_buffer) * time.Second
+		bufferDuration := time.Duration(safetyBuffer) * time.Second

 		doTidy := func() error {
 			identities, err := s.List(ctx, "whitelist/identity/")
@@ -76,7 +76,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
 				}

 				if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
-					if err := s.Delete(ctx, "whitelist/identity"+instanceID); err != nil {
+					if err := s.Delete(ctx, "whitelist/identity/"+instanceID); err != nil {
 						return errwrap.Wrapf(fmt.Sprintf("error deleting identity of instanceID %q from storage: {{err}}", instanceID), err)
 					}
 				}
--- a/builtin/credential/aws/path_tidy_roletag_blacklist.go
+++ b/builtin/credential/aws/path_tidy_roletag_blacklist.go
@@ -33,7 +33,7 @@ expiration, before it is removed from the backend storage.`,
 }

 // tidyBlacklistRoleTag is used to clean-up the entries in the role tag blacklist.
-func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, safety_buffer int) (*logical.Response, error) {
+func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, safetyBuffer int) (*logical.Response, error) {
 	if !atomic.CompareAndSwapUint32(b.tidyBlacklistCASGuard, 0, 1) {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation already in progress.")
@@ -48,7 +48,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s

 		logger := b.Logger().Named("bltidy")

-		bufferDuration := time.Duration(safety_buffer) * time.Second
+		bufferDuration := time.Duration(safetyBuffer) * time.Second

 		doTidy := func() error {
 			tags, err := s.List(ctx, "blacklist/roletag/")
@@ -76,7 +76,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
 				}

 				if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
-					if err := s.Delete(ctx, "blacklist/roletag"+tag); err != nil {
+					if err := s.Delete(ctx, "blacklist/roletag/"+tag); err != nil {
 						return errwrap.Wrapf(fmt.Sprintf("error deleting tag %q from storage: {{err}}", tag), err)
 					}
 				}