v1.14.6/builtin/credential/aws/path_tidy_roletag_denylist.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package awsauth

 import (
 	"context"
 	"fmt"
 	"net/http"
 	"sync/atomic"
 	"time"

 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
 )

 const (
 	denyListRoletagStorage = "blacklist/roletag/"
 )

 func (b *backend) pathTidyRoletagDenyList() *framework.Path {
 	return &framework.Path{
 		Pattern: "tidy/roletag-denylist$",

 		DisplayAttrs: &framework.DisplayAttributes{
 			OperationPrefix: operationPrefixAWS,
 			OperationSuffix: "role-tag-deny-list",
 			OperationVerb:   "tidy",
 		},

 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": {
 				Type:    framework.TypeDurationSecond,
 				Default: 259200, // 72h
 				Description: `The amount of extra time that must have passed beyond the roletag
 expiration, before it is removed from the backend storage.`,
 			},
 		},

 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathTidyRoletagDenylistUpdate,
 			},
 		},

 		HelpSynopsis:    pathTidyRoletagDenylistSyn,
 		HelpDescription: pathTidyRoletagDenylistDesc,
 	}
 }

 // tidyDenyListRoleTag is used to clean-up the entries in the role tag deny list.
 func (b *backend) tidyDenyListRoleTag(ctx context.Context, req *logical.Request, safetyBuffer int) (*logical.Response, error) {
 	// If we are a performance standby forward the request to the active node
 	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
 		return nil, logical.ErrReadOnly
 	}

 	if !atomic.CompareAndSwapUint32(b.tidyDenyListCASGuard, 0, 1) {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation already in progress.")
 		return resp, nil
 	}

 	s := req.Storage

 	go func() {
 		defer atomic.StoreUint32(b.tidyDenyListCASGuard, 0)

 		// Don't cancel when the original client request goes away
 		ctx = context.Background()

 		logger := b.Logger().Named("bltidy")

 		bufferDuration := time.Duration(safetyBuffer) * time.Second

 		doTidy := func() error {
 			tags, err := s.List(ctx, denyListRoletagStorage)
 			if err != nil {
 				return err
 			}

 			for _, tag := range tags {
 				tagEntry, err := s.Get(ctx, denyListRoletagStorage+tag)
 				if err != nil {
 					return fmt.Errorf("error fetching tag %q: %w", tag, err)
 				}

 				if tagEntry == nil {
 					return fmt.Errorf("tag entry for tag %q is nil", tag)
 				}

 				if tagEntry.Value == nil || len(tagEntry.Value) == 0 {
 					return fmt.Errorf("found entry for tag %q but actual tag is empty", tag)
 				}

 				var result roleTagBlacklistEntry
 				if err := tagEntry.DecodeJSON(&result); err != nil {
 					return err
 				}

 				if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
 					if err := s.Delete(ctx, denyListRoletagStorage+tag); err != nil {
 						return fmt.Errorf("error deleting tag %q from storage: %w", tag, err)
 					}
 				}
 			}

 			return nil
 		}

 		if err := doTidy(); err != nil {
 			logger.Error("error running deny list tidy", "error", err)
 			return
 		}
 	}()

 	resp := &logical.Response{}
 	resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
 	return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
 }

 // pathTidyRoletagDenylistUpdate is used to clean-up the entries in the role tag deny list.
 func (b *backend) pathTidyRoletagDenylistUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	return b.tidyDenyListRoleTag(ctx, req, data.Get("safety_buffer").(int))
 }

 const pathTidyRoletagDenylistSyn = `
 Clean-up the deny list role tag entries.
 `

 const pathTidyRoletagDenylistDesc = `
 When a role tag is deny listed, the expiration time of the deny list entry is
 set based on the maximum 'max_ttl' value set on: the role, the role tag and the
 backend's mount.

 When this endpoint is invoked, all the entries that are expired will be deleted.
 A 'safety_buffer' (duration in seconds) can be provided, to ensure deletion of
 only those entries that are expired before 'safety_buffer' seconds.
 `
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package awsauth

	import (
	"context"
	"fmt"
	"net/http"
	"sync/atomic"
	"time"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"github.com/hashicorp/vault/sdk/logical"
	)

	const (
	denyListRoletagStorage = "blacklist/roletag/"
	)

	func (b backend) pathTidyRoletagDenyList() framework.Path {
	return &framework.Path{
	Pattern: "tidy/roletag-denylist$",

	DisplayAttrs: &framework.DisplayAttributes{
	OperationPrefix: operationPrefixAWS,
	OperationSuffix: "role-tag-deny-list",
	OperationVerb: "tidy",
	},

	Fields: map[string]*framework.FieldSchema{
	"safety_buffer": {
	Type: framework.TypeDurationSecond,
	Default: 259200, // 72h
	Description: `The amount of extra time that must have passed beyond the roletag
	expiration, before it is removed from the backend storage.`,
	},
	},

	Operations: map[logical.Operation]framework.OperationHandler{
	logical.UpdateOperation: &framework.PathOperation{
	Callback: b.pathTidyRoletagDenylistUpdate,
	},
	},

	HelpSynopsis: pathTidyRoletagDenylistSyn,
	HelpDescription: pathTidyRoletagDenylistDesc,
	}
	}

	// tidyDenyListRoleTag is used to clean-up the entries in the role tag deny list.
	func (b backend) tidyDenyListRoleTag(ctx context.Context, req logical.Request, safetyBuffer int) (*logical.Response, error) {
	// If we are a performance standby forward the request to the active node
	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
	return nil, logical.ErrReadOnly
	}

	if !atomic.CompareAndSwapUint32(b.tidyDenyListCASGuard, 0, 1) {
	resp := &logical.Response{}
	resp.AddWarning("Tidy operation already in progress.")
	return resp, nil
	}

	s := req.Storage

	go func() {
	defer atomic.StoreUint32(b.tidyDenyListCASGuard, 0)

	// Don't cancel when the original client request goes away
	ctx = context.Background()

	logger := b.Logger().Named("bltidy")

	bufferDuration := time.Duration(safetyBuffer) * time.Second

	doTidy := func() error {
	tags, err := s.List(ctx, denyListRoletagStorage)
	if err != nil {
	return err
	}

	for _, tag := range tags {
	tagEntry, err := s.Get(ctx, denyListRoletagStorage+tag)
	if err != nil {
	return fmt.Errorf("error fetching tag %q: %w", tag, err)
	}

	if tagEntry == nil {
	return fmt.Errorf("tag entry for tag %q is nil", tag)
	}

	if tagEntry.Value == nil \|\| len(tagEntry.Value) == 0 {
	return fmt.Errorf("found entry for tag %q but actual tag is empty", tag)
	}

	var result roleTagBlacklistEntry
	if err := tagEntry.DecodeJSON(&result); err != nil {
	return err
	}

	if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
	if err := s.Delete(ctx, denyListRoletagStorage+tag); err != nil {
	return fmt.Errorf("error deleting tag %q from storage: %w", tag, err)
	}
	}
	}

	return nil
	}

	if err := doTidy(); err != nil {
	logger.Error("error running deny list tidy", "error", err)
	return
	}
	}()

	resp := &logical.Response{}
	resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
	return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
	}

	// pathTidyRoletagDenylistUpdate is used to clean-up the entries in the role tag deny list.
	func (b backend) pathTidyRoletagDenylistUpdate(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {
	return b.tidyDenyListRoleTag(ctx, req, data.Get("safety_buffer").(int))
	}

	const pathTidyRoletagDenylistSyn = `
	Clean-up the deny list role tag entries.
	`

	const pathTidyRoletagDenylistDesc = `
	When a role tag is deny listed, the expiration time of the deny list entry is
	set based on the maximum 'max_ttl' value set on: the role, the role tag and the
	backend's mount.

	When this endpoint is invoked, all the entries that are expired will be deleted.
	A 'safety_buffer' (duration in seconds) can be provided, to ensure deletion of
	only those entries that are expired before 'safety_buffer' seconds.
	`