-
-
Notifications
You must be signed in to change notification settings - Fork 6
/
backend.go
157 lines (129 loc) · 3.75 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
package gitlab
import (
"context"
"errors"
"net/http"
"strings"
"sync"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/logical"
)
const (
// operationPrefixGitlabAccessTokens is used as expected prefix for OpenAPI operation id's.
operationPrefixGitlabAccessTokens = "gitlab"
backendHelp = `
The Gitlab Access token auth Backend dynamically generates private
and group tokens.
After mounting this Backend, credentials to manage Gitlab tokens must be configured
with the "config/" endpoints.
`
)
// Factory returns expected new Backend as logical.Backend
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
var b = &Backend{
roleLocks: locksutil.CreateLocks(),
}
b.Backend = &framework.Backend{
BackendType: logical.TypeLogical,
Help: strings.TrimSpace(backendHelp),
RunningVersion: Version,
Invalidate: b.Invalidate,
PathsSpecial: &logical.Paths{
LocalStorage: []string{
framework.WALPrefix,
},
SealWrapStorage: []string{
PathConfigStorage,
},
},
Secrets: []*framework.Secret{
secretAccessTokens(b),
},
Paths: framework.PathAppend(
[]*framework.Path{
pathConfig(b),
pathConfigTokenRotate(b),
pathListRoles(b),
pathRoles(b),
pathTokenRoles(b),
},
),
PeriodicFunc: b.periodicFunc,
}
b.SetClient(nil)
var err = b.Setup(ctx, conf)
return b, err
}
type Backend struct {
*framework.Backend
// The client that we can use to create and revoke the access tokens
client Client
// Mutex to protect access to gitlab clients and client configs, a change to the gitlab client config
// would invalidate the gitlab client, so it will need to be reinitialized
lockClientMutex sync.RWMutex
// roleLocks to protect access for roles, during modifications, deletion
roleLocks []*locksutil.LockEntry
}
func (b *Backend) periodicFunc(ctx context.Context, request *logical.Request) error {
b.Logger().Debug("Periodic action executing")
if !b.WriteSafeReplicationState() {
return nil
}
var config *EntryConfig
var err error
b.lockClientMutex.Lock()
if config, err = getConfig(ctx, request.Storage); err != nil {
b.lockClientMutex.Unlock()
return err
}
b.lockClientMutex.Unlock()
if config == nil {
return nil
}
// If we need to autorotate the token, initiate the procedure to autorotate the token
if config.AutoRotateToken {
err = errors.Join(err, b.checkAndRotateConfigToken(ctx, request, config))
}
return err
}
// Invalidate invalidates the key if required
func (b *Backend) Invalidate(ctx context.Context, key string) {
b.Logger().Debug("Backend invalidate", "key", key)
if key == PathConfigStorage {
b.Logger().Warn("Gitlab config changed, reinitializing the gitlab client")
b.lockClientMutex.Lock()
defer b.lockClientMutex.Unlock()
b.client = nil
}
}
func (b *Backend) SetClient(client Client) {
if client == nil {
b.Logger().Debug("Setting a nil client")
return
}
b.Logger().Debug("Setting a new client")
b.client = client
}
func (b *Backend) getClient(ctx context.Context, s logical.Storage) (client Client, err error) {
if b.client != nil && b.client.Valid() {
b.Logger().Debug("Returning existing gitlab client")
return b.client, nil
}
b.lockClientMutex.RLock()
defer b.lockClientMutex.RUnlock()
var config *EntryConfig
config, err = getConfig(ctx, s)
if err != nil {
b.Logger().Error("Failed to retrieve configuration", "error", err.Error())
return nil, err
}
var httpClient *http.Client
httpClient, _ = HttpClientFromContext(ctx)
if client, _ = GitlabClientFromContext(ctx); client == nil {
if client, err = NewGitlabClient(config, httpClient, b.Logger()); err == nil {
b.SetClient(client)
}
}
return client, err
}