scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix barrier key autoration config edge cases (#11541)

Browse Source 
* Add an Int64 type

* Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31

* Missed a spot

* go mod vendor

* fix cast

* changelog

* Update unit test to ensure this works on both 32 and 64-bit archs
This commit is contained in:
Scott Miller
2021-05-05 14:39:04 -05:00
committed by GitHub
parent 3c0762dbfb
commit f538631581
10 changed files with 30 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/11541.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core: Fix edge cases in the configuration endpoint for barrier key autorotation.
```

2
go.mod
View File

@@ -104,7 +104,7 @@ require (
github.com/hashicorp/vault-plugin-secrets-openldap v0.4.0 github.com/hashicorp/vault-plugin-secrets-openldap v0.4.0
github.com/hashicorp/vault-plugin-secrets-terraform v0.1.0 github.com/hashicorp/vault-plugin-secrets-terraform v0.1.0
github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457
github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 github.com/hashicorp/vault/sdk v0.1.14-0.20210505171055-299f311fa707
github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4
github.com/jcmturner/gokrb5/v8 v8.0.0 github.com/jcmturner/gokrb5/v8 v8.0.0
github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f

11
sdk/framework/field_data.go
View File

@@ -38,7 +38,7 @@ func (d *FieldData) Validate() error {
} }
switch schema.Type { switch schema.Type {
case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString,
TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice,
TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime:
_, _, err := d.getPrimitive(field, schema) _, _, err := d.getPrimitive(field, schema)
@@ -131,7 +131,7 @@ func (d *FieldData) GetOkErr(k string) (interface{}, bool, error) {
} }
switch schema.Type { switch schema.Type {
case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString,
TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice,
TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime:
return d.getPrimitive(k, schema) return d.getPrimitive(k, schema)
@@ -162,6 +162,13 @@ func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bo
} }
return result, true, nil return result, true, nil
case TypeInt64:
var result int64
if err := mapstructure.WeakDecode(raw, &result); err != nil {
return nil, false, err
}
return result, true, nil
case TypeFloat: case TypeFloat:
var result float64 var result float64
if err := mapstructure.WeakDecode(raw, &result); err != nil { if err := mapstructure.WeakDecode(raw, &result); err != nil {

1
sdk/framework/field_type.go
View File

@@ -7,6 +7,7 @@ const (
TypeInvalid FieldType = 0 TypeInvalid FieldType = 0
TypeString FieldType = iota TypeString FieldType = iota
TypeInt TypeInt
TypeInt64
TypeBool TypeBool
TypeMap TypeMap

4
vault/logical_system.go
View File

@@ -2566,7 +2566,7 @@ func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req *
return nil, err return nil, err
} }
if ok { if ok {
rotConfig.MaxOperations = int64(maxOps.(int)) rotConfig.MaxOperations = maxOps.(int64)
} }
interval, ok, err := data.GetOkErr("interval") interval, ok, err := data.GetOkErr("interval")
if err != nil { if err != nil {
@@ -2585,7 +2585,7 @@ func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req *
} }
// Reject out of range settings // Reject out of range settings
if rotConfig.Interval < minimumRotationInterval { if rotConfig.Interval < minimumRotationInterval && rotConfig.Interval != 0 {
return logical.ErrorResponse("interval must be greater or equal to %s", minimumRotationInterval.String()), logical.ErrInvalidRequest return logical.ErrorResponse("interval must be greater or equal to %s", minimumRotationInterval.String()), logical.ErrInvalidRequest
} }

2
vault/logical_system_paths.go
View File

@@ -610,7 +610,7 @@ func (b *SystemBackend) sealPaths() []*framework.Path {
Description: strings.TrimSpace(sysHelp["rotation-enabled"][0]), Description: strings.TrimSpace(sysHelp["rotation-enabled"][0]),
}, },
"max_operations": { "max_operations": {
Type: framework.TypeInt, // 64? Type: framework.TypeInt64,
Description: strings.TrimSpace(sysHelp["rotation-max-operations"][0]), Description: strings.TrimSpace(sysHelp["rotation-max-operations"][0]),
}, },
"interval": { "interval": {

13
vault/logical_system_test.go
View File

@@ -2066,7 +2066,7 @@ func TestSystemBackend_rotateConfig(t *testing.T) {
} }
req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config") req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config")
req2.Data["max_operations"] = 123456789 req2.Data["max_operations"] = int64(3221225472)
req2.Data["interval"] = "5432h0m0s" req2.Data["interval"] = "5432h0m0s"
req2.Data["enabled"] = false req2.Data["enabled"] = false
@@ -2081,20 +2081,11 @@ func TestSystemBackend_rotateConfig(t *testing.T) {
} }
exp = map[string]interface{}{ exp = map[string]interface{}{
"max_operations": 123456789, "max_operations": int64(3221225472),
"interval": "5432h0m0s", "interval": "5432h0m0s",
"enabled": false, "enabled": false,
} }
// Not pretty, but on a 64-bit machine, the response value is 64-bit, while on a 32 bit machine it'll be an int
// DeepEqual rejects it due to the type difference
if d, ok := resp.Data["max_operations"]; ok {
v, ok := d.(int64)
if ok {
resp.Data["max_operations"] = int(v)
}
}
if !reflect.DeepEqual(resp.Data, exp) { if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp) t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
} }

11
vendor/github.com/hashicorp/vault/sdk/framework/field_data.go generated vendored
View File

@@ -38,7 +38,7 @@ func (d *FieldData) Validate() error {
} }
switch schema.Type { switch schema.Type {
case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString,
TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice,
TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime:
_, _, err := d.getPrimitive(field, schema) _, _, err := d.getPrimitive(field, schema)
@@ -131,7 +131,7 @@ func (d *FieldData) GetOkErr(k string) (interface{}, bool, error) {
} }
switch schema.Type { switch schema.Type {
case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString,
TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice,
TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime:
return d.getPrimitive(k, schema) return d.getPrimitive(k, schema)
@@ -162,6 +162,13 @@ func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bo
} }
return result, true, nil return result, true, nil
case TypeInt64:
var result int64
if err := mapstructure.WeakDecode(raw, &result); err != nil {
return nil, false, err
}
return result, true, nil
case TypeFloat: case TypeFloat:
var result float64 var result float64
if err := mapstructure.WeakDecode(raw, &result); err != nil { if err := mapstructure.WeakDecode(raw, &result); err != nil {

1
vendor/github.com/hashicorp/vault/sdk/framework/field_type.go generated vendored
View File

@@ -7,6 +7,7 @@ const (
TypeInvalid FieldType = 0 TypeInvalid FieldType = 0
TypeString FieldType = iota TypeString FieldType = iota
TypeInt TypeInt
TypeInt64
TypeBool TypeBool
TypeMap TypeMap

2
vendor/modules.txt vendored
View File

@@ -709,7 +709,7 @@ github.com/hashicorp/vault-plugin-secrets-terraform
# github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 => ./api # github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 => ./api
## explicit ## explicit
github.com/hashicorp/vault/api github.com/hashicorp/vault/api
# github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 => ./sdk # github.com/hashicorp/vault/sdk v0.1.14-0.20210505171055-299f311fa707 => ./sdk
## explicit ## explicit
github.com/hashicorp/vault/sdk/database/dbplugin github.com/hashicorp/vault/sdk/database/dbplugin
github.com/hashicorp/vault/sdk/database/dbplugin/v5 github.com/hashicorp/vault/sdk/database/dbplugin/v5