scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

AOP: Add NeverDrop request priority (enterprise) (#26745)

Browse Source 
This PR introduces the CE plumbing for a new high WritePriority, meant
to bypass rejection from the AOP write controller. We attach this
priority to any request on a sudo path, such that administrators can
still perform necessary operations during an overload.
This commit is contained in:
Mike Palmiotto
2024-05-01 15:45:34 -04:00
committed by GitHub
parent c5fac98d2d
commit d4a046820d
3 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
http/priority/priority.go
View File

@@ -33,15 +33,16 @@ const (
// StandardHTTP is the default AOPWritePriority for HTTP requests. // StandardHTTP is the default AOPWritePriority for HTTP requests.
StandardHTTP AOPWritePriority = 128 StandardHTTP AOPWritePriority = 128
// NeverDrop is used to mark a request such that it will never be rejected.
// This is currently used as an administrative priority used for requests on
// paths which require sudo capabilities.
NeverDrop AOPWritePriority = 255
) )
// String returns the string representation of the AOPWritePriority. // String returns the string representation of the AOPWritePriority.
func (p AOPWritePriority) String() string { func (p AOPWritePriority) String() string {
switch p { return strconv.FormatUint(uint64(p), 8)
case AlwaysDrop:
return strconv.FormatUint(uint64(p), 8)
}
return ""
} }
// StringToAOPWritePriority converts a string to an AOPWritePriority. // StringToAOPWritePriority converts a string to an AOPWritePriority.

4
sdk/logical/auth.go
View File

@@ -114,6 +114,10 @@ type Auth struct {
// EntityCreated is set to true if an entity is created as part of a login request // EntityCreated is set to true if an entity is created as part of a login request
EntityCreated bool `json:"entity_created"` EntityCreated bool `json:"entity_created"`
// HTTPRequestPriority contains potential information about the request
// priority based on required path capabilities
HTTPRequestPriority *uint8 `json:"http_request_priority"`
} }
func (a *Auth) GoString() string { func (a *Auth) GoString() string {

13
vault/request_handling.go
View File

@@ -484,6 +484,12 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
RootPrivsRequired: rootPath, RootPrivsRequired: rootPath,
}) })
// Assign the sudo path priority if the request is issued against a sudo path.
if rootPath {
pri := uint8(priority.NeverDrop)
auth.HTTPRequestPriority = &pri
}
auth.PolicyResults = &logical.PolicyResults{ auth.PolicyResults = &logical.PolicyResults{
Allowed: authResults.Allowed, Allowed: authResults.Allowed,
} }
@@ -1014,6 +1020,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
return nil, nil, ctErr return nil, nil, ctErr
} }
// See if the call to CheckToken set any request priority. We push the
// processing down into CheckToken so we only have to do a router lookup
// once.
if auth != nil && auth.HTTPRequestPriority != nil {
ctx = context.WithValue(ctx, logical.CtxKeyInFlightRequestPriority{}, *auth.HTTPRequestPriority)
}
// Updating in-flight request data with client/entity ID // Updating in-flight request data with client/entity ID
inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string) inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string)
if ok && req.ClientID != "" { if ok && req.ClientID != "" {