scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Plugins: Update running version everywhere running sha256 is set (#17292)

Browse Source
This commit is contained in:
Tom Proctor
2022-09-23 11:19:38 +01:00
committed by GitHub
parent 66d6048da0
commit b5656f6353
10 changed files with 62 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
builtin/plugin/backend_test.go
View File

@@ -128,6 +128,7 @@ func testConfig(t *testing.T, pluginCmd string) (*logical.BackendConfig, func())
Config: map[string]string{ Config: map[string]string{
"plugin_name": "mock-plugin", "plugin_name": "mock-plugin",
"plugin_type": "secret", "plugin_type": "secret",
"plugin_version": "v0.0.0+mock",
}, },
} }

16
http/sys_auth_test.go
View File

@@ -45,7 +45,7 @@ func TestSysAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
}, },
"token/": map[string]interface{}{ "token/": map[string]interface{}{
@@ -63,7 +63,7 @@ func TestSysAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
} }
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)
@@ -145,7 +145,7 @@ func TestSysEnableAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
}, },
"foo/": map[string]interface{}{ "foo/": map[string]interface{}{
@@ -181,7 +181,7 @@ func TestSysEnableAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
} }
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)
@@ -248,7 +248,7 @@ func TestSysDisableAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
}, },
"token/": map[string]interface{}{ "token/": map[string]interface{}{
@@ -266,7 +266,7 @@ func TestSysDisableAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
} }
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)
@@ -542,7 +542,7 @@ func TestSysRemountAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
}, },
"bar/": map[string]interface{}{ "bar/": map[string]interface{}{
@@ -577,7 +577,7 @@ func TestSysRemountAuth(t *testing.T) {
"options": interface{}(nil), "options": interface{}(nil),
"plugin_version": "", "plugin_version": "",
"running_sha256": "", "running_sha256": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
}, },
} }
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)

2
sdk/plugin/grpc_backend_test.go
View File

@@ -157,7 +157,7 @@ func TestGRPCBackendPlugin_Version(t *testing.T) {
} }
version := versioner.PluginVersion().Version version := versioner.PluginVersion().Version
if version != "mock" { if version != "v0.0.0+mock" {
t.Fatalf("Got version %s, expected 'mock'", version) t.Fatalf("Got version %s, expected 'mock'", version)
} }
} }

2
sdk/plugin/mock/backend.go
View File

@@ -59,7 +59,7 @@ func Backend() *backend {
BackendType: logical.TypeLogical, BackendType: logical.TypeLogical,
} }
b.internal = "bar" b.internal = "bar"
b.RunningVersion = "mock" b.RunningVersion = "v0.0.0+mock"
return &b return &b
} }

15
vault/auth.go
View File

@@ -184,10 +184,8 @@ func (c *Core) enableCredentialInternal(ctx context.Context, entry *MountEntry,
if backendType != logical.TypeCredential { if backendType != logical.TypeCredential {
return fmt.Errorf("cannot mount %q of type %q as an auth backend", entry.Type, backendType) return fmt.Errorf("cannot mount %q of type %q as an auth backend", entry.Type, backendType)
} }
// update the entry running version with the backend's reported version // update the entry running version with the configured version, which was verified during registration.
if versioner, ok := backend.(logical.PluginVersioner); ok { entry.RunningVersion = entry.Version
entry.RunningVersion = versioner.PluginVersion().Version
}
if entry.RunningVersion == "" { if entry.RunningVersion == "" {
// don't set the running version to a builtin if it is running as an external plugin // don't set the running version to a builtin if it is running as an external plugin
if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() { if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() {
@@ -812,6 +810,15 @@ func (c *Core) setupCredentials(ctx context.Context) error {
return fmt.Errorf("nil backend returned from %q factory", entry.Type) return fmt.Errorf("nil backend returned from %q factory", entry.Type)
} }
// update the entry running version with the configured version, which was verified during registration.
entry.RunningVersion = entry.Version
if entry.RunningVersion == "" {
// don't set the running version to a builtin if it is running as an external plugin
if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() {
entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeCredential, entry.Type)
}
}
{ {
// Check for the correct backend type // Check for the correct backend type
backendType := backend.Type() backendType := backend.Type()

5
vault/external_plugin_test.go
View File

@@ -242,9 +242,8 @@ func TestCore_EnableExternalPlugin_MultipleVersions(t *testing.T) {
t.Errorf("Expected mount to be version %s but got %s", tc.expectedVersion, raw.(*routeEntry).mountEntry.Version) t.Errorf("Expected mount to be version %s but got %s", tc.expectedVersion, raw.(*routeEntry).mountEntry.Version)
} }
// we don't override the running version of non-builtins, and they don't have the version set explicitly (yet) if raw.(*routeEntry).mountEntry.RunningVersion != tc.expectedVersion {
if raw.(*routeEntry).mountEntry.RunningVersion != "" { t.Errorf("Expected mount running version to be %s but got %s", tc.expectedVersion, raw.(*routeEntry).mountEntry.RunningVersion)
t.Errorf("Expected mount to have no running version but got %s", raw.(*routeEntry).mountEntry.RunningVersion)
} }
if raw.(*routeEntry).mountEntry.RunningSha256 == "" { if raw.(*routeEntry).mountEntry.RunningSha256 == "" {

6
vault/logical_system_test.go
View File

@@ -1850,7 +1850,7 @@ func TestSystemBackend_authTable(t *testing.T) {
"seal_wrap": false, "seal_wrap": false,
"options": map[string]string(nil), "options": map[string]string(nil),
"plugin_version": "", "plugin_version": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
"running_sha256": "", "running_sha256": "",
}, },
} }
@@ -1936,7 +1936,7 @@ func TestSystemBackend_enableAuth(t *testing.T) {
"seal_wrap": false, "seal_wrap": false,
"options": map[string]string(nil), "options": map[string]string(nil),
"plugin_version": "", "plugin_version": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
"running_sha256": "", "running_sha256": "",
}, },
} }
@@ -3445,7 +3445,7 @@ func TestSystemBackend_InternalUIMounts(t *testing.T) {
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": false,
"plugin_version": "", "plugin_version": "",
"running_plugin_version": "", "running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
"running_sha256": "", "running_sha256": "",
}, },
}, },

15
vault/mount.go
View File

@@ -626,10 +626,8 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
} }
} }
// update the entry running version with the backend's reported version // update the entry running version with the configured version, which was verified during registration.
if versioner, ok := backend.(logical.PluginVersioner); ok { entry.RunningVersion = entry.Version
entry.RunningVersion = versioner.PluginVersion().Version
}
if entry.RunningVersion == "" { if entry.RunningVersion == "" {
// don't set the running version to a builtin if it is running as an external plugin // don't set the running version to a builtin if it is running as an external plugin
if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() { if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() {
@@ -1437,6 +1435,15 @@ func (c *Core) setupMounts(ctx context.Context) error {
return fmt.Errorf("created mount entry of type %q is nil", entry.Type) return fmt.Errorf("created mount entry of type %q is nil", entry.Type)
} }
// update the entry running version with the configured version, which was verified during registration.
entry.RunningVersion = entry.Version
if entry.RunningVersion == "" {
// don't set the running version to a builtin if it is running as an external plugin
if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() {
entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeSecrets, entry.Type)
}
}
{ {
// Check for the correct backend type // Check for the correct backend type
backendType := backend.Type() backendType := backend.Type()

7
vault/plugin_catalog.go
View File

@@ -827,6 +827,13 @@ func (c *PluginCatalog) setInternal(ctx context.Context, name string, pluginType
} else if version != "" && runningVersion.Version != "" && version != runningVersion.Version { } else if version != "" && runningVersion.Version != "" && version != runningVersion.Version {
c.logger.Warn("Plugin self-reported version did not match requested version", "plugin", name, "requestedVersion", version, "reportedVersion", runningVersion.Version) c.logger.Warn("Plugin self-reported version did not match requested version", "plugin", name, "requestedVersion", version, "reportedVersion", runningVersion.Version)
return nil, fmt.Errorf("plugin version mismatch: %s reported version (%s) did not match requested version (%s)", name, runningVersion.Version, version) return nil, fmt.Errorf("plugin version mismatch: %s reported version (%s) did not match requested version (%s)", name, runningVersion.Version, version)
} else if version == "" && runningVersion.Version != "" {
version = runningVersion.Version
_, err := semver.NewVersion(version)
if err != nil {
return nil, fmt.Errorf("plugin self-reported version %q is not a valid semantic version: %w", version, err)
}
} }
entry := &pluginutil.PluginRunner{ entry := &pluginutil.PluginRunner{

15
vault/plugin_reload.go
View File

@@ -6,9 +6,11 @@ import (
"strings" "strings"
"github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/helper/versions"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/plugin" "github.com/hashicorp/vault/sdk/plugin"
) )
@@ -188,6 +190,19 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut
return fmt.Errorf("nil backend of type %q returned from creation function", entry.Type) return fmt.Errorf("nil backend of type %q returned from creation function", entry.Type)
} }
// update the entry running version with the configured version, which was verified during registration.
entry.RunningVersion = entry.Version
if entry.RunningVersion == "" {
// don't set the running version to a builtin if it is running as an external plugin
if externaler, ok := backend.(logical.Externaler); !ok || !externaler.IsExternal() {
if isAuth {
entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeCredential, entry.Type)
} else {
entry.RunningVersion = versions.GetBuiltinVersion(consts.PluginTypeSecrets, entry.Type)
}
}
}
// update the mount table since we changed the runningSha // update the mount table since we changed the runningSha
if oldSha != entry.RunningSha256 && MountTableUpdateStorage { if oldSha != entry.RunningSha256 && MountTableUpdateStorage {
if isAuth { if isAuth {