scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-28656 CE changes for Proxy bug (#27730)

Browse Source 
* VAULT-28656 CE changes for Proxy bug

* VAULT-28656 changelog

* VAULT-28656 rename changelog
This commit is contained in:
Violet Hynes
2024-07-10 09:38:51 -04:00
committed by GitHub
parent 261c9a8fbb
commit b9c892f8aa
4 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/27730.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
proxy/cache (enterprise): Fixed an issue where cached static secrets could fail to update if the secrets belonged to a non-root namespace.
```

5
command/agentproxyshared/cache/lease_cache.go vendored
View File

@@ -411,7 +411,7 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse,
return nil, err return nil, err
} }
if cachedResp != nil { if cachedResp != nil {
c.logger.Debug("returning cached static secret response", "id", staticSecretCacheId, "path", req.Request.URL.Path) c.logger.Debug("returning cached static secret response", "id", staticSecretCacheId, "path", getStaticSecretPathFromRequest(req))
return cachedResp, nil return cachedResp, nil
} }
} }
@@ -482,6 +482,7 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse,
// included in the request path. // included in the request path.
index.RequestPath = getStaticSecretPathFromRequest(req) index.RequestPath = getStaticSecretPathFromRequest(req)
c.logger.Trace("attempting to cache static secret with following request path", "request path", index.RequestPath)
err := c.cacheStaticSecret(ctx, req, resp, index) err := c.cacheStaticSecret(ctx, req, resp, index)
if err != nil { if err != nil {
return nil, err return nil, err
@@ -665,7 +666,7 @@ func (c *LeaseCache) cacheStaticSecret(ctx context.Context, req *SendRequest, re
func (c *LeaseCache) storeStaticSecretIndex(ctx context.Context, req *SendRequest, index *cachememdb.Index) error { func (c *LeaseCache) storeStaticSecretIndex(ctx context.Context, req *SendRequest, index *cachememdb.Index) error {
// Store the index in the cache // Store the index in the cache
c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", req.Request.URL.Path, "id", index.ID) c.logger.Debug("storing static secret response into the cache", "method", req.Request.Method, "path", index.RequestPath, "id", index.ID)
err := c.Set(ctx, index) err := c.Set(ctx, index)
if err != nil { if err != nil {
c.logger.Error("failed to cache the proxied response", "error", err) c.logger.Error("failed to cache the proxied response", "error", err)

11
command/agentproxyshared/cache/static_secret_cache_updater.go vendored
View File

@@ -163,6 +163,10 @@ func (updater *StaticSecretCacheUpdater) streamStaticSecretEvents(ctx context.Co
if !ok { if !ok {
return fmt.Errorf("unexpected event format when decoding 'path' element, message: %s\nerror: %w", string(message), err) return fmt.Errorf("unexpected event format when decoding 'path' element, message: %s\nerror: %w", string(message), err)
} }
namespace, ok := data["namespace"].(string)
if ok {
path = namespace + path
}
err := updater.updateStaticSecret(ctx, path) err := updater.updateStaticSecret(ctx, path)
if err != nil { if err != nil {
// While we are kind of 'missing' an event this way, re-calling this function will // While we are kind of 'missing' an event this way, re-calling this function will
@@ -218,6 +222,10 @@ func (updater *StaticSecretCacheUpdater) updateStaticSecret(ctx context.Context,
return err return err
} }
// Clear the client's header namespace since we'll be including the
// namespace as part of the path.
client.ClearNamespace()
indexId := hashStaticSecretIndex(path) indexId := hashStaticSecretIndex(path)
updater.logger.Debug("received update static secret request", "path", path, "indexId", indexId) updater.logger.Debug("received update static secret request", "path", path, "indexId", indexId)
@@ -248,7 +256,7 @@ func (updater *StaticSecretCacheUpdater) updateStaticSecret(ctx context.Context,
request.Headers.Set(api.AuthHeaderName, token) request.Headers.Set(api.AuthHeaderName, token)
resp, err = client.RawRequestWithContext(ctx, request) resp, err = client.RawRequestWithContext(ctx, request)
if err != nil { if err != nil {
updater.logger.Trace("received error when trying to update cache", "path", path, "err", err, "token", token) updater.logger.Trace("received error when trying to update cache", "path", path, "err", err, "token", token, "namespace", index.Namespace)
// We cannot access this secret with this token for whatever reason, // We cannot access this secret with this token for whatever reason,
// so token for removal. // so token for removal.
tokensToRemove = append(tokensToRemove, token) tokensToRemove = append(tokensToRemove, token)
@@ -329,6 +337,7 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
} }
query := webSocketURL.Query() query := webSocketURL.Query()
query.Set("json", "true") query.Set("json", "true")
query.Set("namespaces", "*")
webSocketURL.RawQuery = query.Encode() webSocketURL.RawQuery = query.Encode()
updater.client.AddHeader(api.AuthHeaderName, updater.client.Token()) updater.client.AddHeader(api.AuthHeaderName, updater.client.Token())

2
command/agentproxyshared/cache/static_secret_cache_updater_test.go vendored
View File

@@ -407,7 +407,7 @@ func TestOpenWebSocketConnectionReceivesEventsKVV1(t *testing.T) {
} }
} }
// TestOpenWebSocketConnectionReceivesEvents tests that the openWebSocketConnection function // TestOpenWebSocketConnectionReceivesEventsKVV2 tests that the openWebSocketConnection function
// works as expected with KVV2, and then the connection can be used to receive an event. // works as expected with KVV2, and then the connection can be used to receive an event.
// This acts as more of an event system sanity check than a test of the updater // This acts as more of an event system sanity check than a test of the updater
// logic. It's still important coverage, though. // logic. It's still important coverage, though.