VAULT-32507: CE Changes (#29004)

2025-10-29 09:42:25 +00:00 · 2024-11-25 14:08:15 -05:00
parent d23892d803
commit b20beaec66
3 changed files with 104 additions and 42 deletions
--- a/helper/builtinplugins/registry_full.go
+++ b/helper/builtinplugins/registry_full.go
@@ -99,44 +99,44 @@ func newFullAddonRegistry() *registry {
 			"snowflake-database-plugin":         {Factory: dbSnowflake.New},
 		},
 		logicalBackends: map[string]logicalBackend{
-			"ad": {
+			pluginconsts.SecretEngineAD: {
 				Factory:           logicalAd.Factory,
 				DeprecationStatus: consts.Deprecated,
 			},
-			"alicloud": {Factory: logicalAlicloud.Factory},
-			"aws":      {Factory: logicalAws.Factory},
-			"azure":    {Factory: logicalAzure.Factory},
-			"cassandra": {
+			pluginconsts.SecretEngineAlicloud: {Factory: logicalAlicloud.Factory},
+			pluginconsts.SecretEngineAWS:      {Factory: logicalAws.Factory},
+			pluginconsts.SecretEngineAzure:    {Factory: logicalAzure.Factory},
+			pluginconsts.SecretEngineCassandra: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"consul":     {Factory: logicalConsul.Factory},
-			"gcp":        {Factory: logicalGcp.Factory},
-			"gcpkms":     {Factory: logicalGcpKms.Factory},
-			"kubernetes": {Factory: logicalKube.Factory},
-			"mongodb": {
+			pluginconsts.SecretEngineConsul:     {Factory: logicalConsul.Factory},
+			pluginconsts.SecretEngineGCP:        {Factory: logicalGcp.Factory},
+			pluginconsts.SecretEngineGCPKMS:     {Factory: logicalGcpKms.Factory},
+			pluginconsts.SecretEngineKubernetes: {Factory: logicalKube.Factory},
+			pluginconsts.SecretEngineMongoDB: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"mongodbatlas": {Factory: logicalMongoAtlas.Factory},
-			"mssql": {
+			pluginconsts.SecretEngineMongoDBAtlas: {Factory: logicalMongoAtlas.Factory},
+			pluginconsts.SecretEngineMSSQL: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"mysql": {
+			pluginconsts.SecretEngineMySQL: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"nomad":    {Factory: logicalNomad.Factory},
-			"openldap": {Factory: logicalLDAP.Factory},
-			"ldap":     {Factory: logicalLDAP.Factory},
-			"postgresql": {
+			pluginconsts.SecretEngineNomad:    {Factory: logicalNomad.Factory},
+			pluginconsts.SecretEngineOpenLDAP: {Factory: logicalLDAP.Factory},
+			pluginconsts.SecretEngineLDAP:     {Factory: logicalLDAP.Factory},
+			pluginconsts.SecretEnginePostgresql: {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"rabbitmq":  {Factory: logicalRabbit.Factory},
-			"terraform": {Factory: logicalTerraform.Factory},
-			"totp":      {Factory: logicalTotp.Factory},
+			pluginconsts.SecretEngineRabbitMQ:  {Factory: logicalRabbit.Factory},
+			pluginconsts.SecretEngineTerraform: {Factory: logicalTerraform.Factory},
+			pluginconsts.SecretEngineTOTP:      {Factory: logicalTotp.Factory},
 		},
 	}
 }
--- a/helper/pluginconsts/plugin_consts.go
+++ b/helper/pluginconsts/plugin_consts.go
@@ -5,25 +5,61 @@ package pluginconsts

 // These consts live outside the plugin registry files to prevent import cycles.
 const (
-	AuthTypeAliCloud   = "alicloud"
-	AuthTypeAppId      = "app-id"
-	AuthTypeAWS        = "aws"
-	AuthTypeAzure      = "azure"
-	AuthTypeCF         = "cf"
-	AuthTypeGCP        = "gcp"
-	AuthTypeGitHub     = "github"
-	AuthTypeKerberos   = "kerberos"
-	AuthTypeKubernetes = "kubernetes"
-	AuthTypeLDAP       = "ldap"
-	AuthTypeOCI        = "oci"
-	AuthTypeOkta       = "okta"
-	AuthTypePCF        = "pcf"
-	AuthTypeRadius     = "radius"
-	AuthTypeToken      = "token"
-	AuthTypeCert       = "cert"
-	AuthTypeOIDC       = "oidc"
-	AuthTypeUserpass   = "userpass"
-	AuthTypeSAML       = "saml"
-	AuthTypeApprole    = "approle"
-	AuthTypeJWT        = "jwt"
+	AuthTypeAliCloud         = "alicloud"
+	AuthTypeAppId            = "app-id"
+	AuthTypeAWS              = "aws"
+	AuthTypeAzure            = "azure"
+	AuthTypeCF               = "cf"
+	AuthTypeGCP              = "gcp"
+	AuthTypeGitHub           = "github"
+	AuthTypeKerberos         = "kerberos"
+	AuthTypeKubernetes       = "kubernetes"
+	AuthTypeLDAP             = "ldap"
+	AuthTypeOCI              = "oci"
+	AuthTypeOkta             = "okta"
+	AuthTypePCF              = "pcf"
+	AuthTypeRadius           = "radius"
+	AuthTypeToken            = "token"
+	AuthTypeCert             = "cert"
+	AuthTypeOIDC             = "oidc"
+	AuthTypeUserpass         = "userpass"
+	AuthTypeSAML             = "saml"
+	AuthTypeApprole          = "approle"
+	AuthTypeJWT              = "jwt"
+	SecretEngineAD           = "ad"
+	SecretEngineAlicloud     = "alicloud"
+	SecretEngineAWS          = "aws"
+	SecretEngineAzure        = "azure"
+	SecretEngineCassandra    = "cassandra"
+	SecretEngineConsul       = "consul"
+	SecretEngineGCP          = "gcp"
+	SecretEngineGCPKMS       = "gcpkms"
+	SecretEngineKubernetes   = "kubernetes"
+	SecretEngineMongoDB      = "mongodb"
+	SecretEngineMongoDBAtlas = "mongodbatlas"
+	SecretEngineMSSQL        = "mssql"
+	SecretEngineMySQL        = "mysql"
+	SecretEngineNomad        = "nomad"
+	SecretEngineOpenLDAP     = "openldap"
+	SecretEngineLDAP         = "ldap"
+	SecretEnginePostgresql   = "postgresql"
+	SecretEngineRabbitMQ     = "rabbitmq"
+	SecretEngineTerraform    = "terraform"
+	SecretEngineTOTP         = "totp"
+	SecretEngineKV           = "kv"
+	SecretEngineTransform    = "transform"
+	SecretEngineKMIP         = "kmip"
+	SecretEngineKeymgmt      = "keymgmt"
+	SecretEnginePki          = "pki"
+	SecretEngineTransit      = "transit"
+	SecretEngineSsh          = "ssh"
+	SecretEngineCubbyhole    = "cubbyhole"
+	SecretEngineIdentity     = "identity"
+	SecretEngineSystem       = "system"
+	// SecretEngineGeneric is a very old and deprecated version of KV, but is left
+	// for completeness.
+	SecretEngineGeneric = "generic"
+	// SecretEngineDatabase is the entry type for all databases, i.e. this is the combined
+	// database type for every database.
+	SecretEngineDatabase = "database"
 )
--- a/vault/core_metrics.go
+++ b/vault/core_metrics.go
@@ -14,6 +14,7 @@ import (
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/pluginconsts"
 	"github.com/hashicorp/vault/limits"
 	"github.com/hashicorp/vault/physical/raft"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -402,7 +403,7 @@ func (c *Core) findKvMounts() []*kvMount {
 	}

 	for _, entry := range c.mounts.Entries {
-		if entry.Type == "kv" || entry.Type == "generic" {
+		if entry.Type == pluginconsts.SecretEngineKV || entry.Type == pluginconsts.SecretEngineGeneric {
 			version, ok := entry.Options["version"]
 			if !ok || version == "" {
 				version = "1"
@@ -535,6 +536,31 @@ func getMeanNamespaceSecrets(mapOfNamespacesToSecrets map[string]int) int {
 	return getTotalSecretsAcrossAllNamespaces(mapOfNamespacesToSecrets) / length
 }

+// GetSecretEngineUsageMetrics returns a map of secret engine mount types to the number of those mounts that exist.
+func (c *Core) GetSecretEngineUsageMetrics() map[string]int {
+	mounts := make(map[string]int)
+
+	c.authLock.RLock()
+	defer c.authLock.RUnlock()
+
+	// we don't grab the statelock, so this code might run during or after the seal process.
+	// Therefore, we need to check if c.auth is nil. If we do not, this will panic when
+	// run after seal.
+	if c.auth == nil {
+		return mounts
+	}
+
+	for _, entry := range c.mounts.Entries {
+		authType := entry.Type
+		if _, ok := mounts[authType]; !ok {
+			mounts[authType] = 1
+		} else {
+			mounts[authType] += 1
+		}
+	}
+	return mounts
+}
+
 // GetAuthMethodUsageMetrics returns a map of auth mount types to the number of those mounts that exist.
 func (c *Core) GetAuthMethodUsageMetrics() map[string]int {
 	mounts := make(map[string]int)