Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revoke multiple tokens/accessors #2922

Closed
wants to merge 7 commits into from
Closed

Revoke multiple tokens/accessors #2922

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6d36c84
revoke multiple accessor/tokens in HTTP API
iahmedov Jun 23, 2017
57f22d3
return failed revokes in error
iahmedov Jun 24, 2017
22811a9
Merge branch 'master' into issue_2864_revoke_multiple
iahmedov Jun 24, 2017
bb88dae
exclude failed tokens
iahmedov Jun 24, 2017
fc1c616
fix test fails, old version rely on len(r.Data) == 1
iahmedov Jun 26, 2017
4d33f2e
fix crash in tests and remove unused function from logical.Response
iahmedov Jun 26, 2017
6fa7596
removed multiple accessor/token from url, backward compatible respons…
iahmedov Jul 15, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions logical/response.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package logical

import (
"errors"
"fmt"
"strings"

"github.com/hashicorp/vault/helper/wrapping"
)
Expand Down Expand Up @@ -81,6 +83,36 @@ func (r *Response) Error() error {
return nil
}

func (r *Response) SetError(err error, errorData interface{}) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we need this method on the response struct. I would much rather formatting of the errors being handled by the caller instead of trying to generalize it here.

var additionalErrorText, errText string = "", ""
switch m := errorData.(type) {
case []map[string]string:
items := make([]string, len(m))
for idx, errItem := range m {
errItemFields := make([]string, 0, len(errItem))
for k, v := range errItem {
errItemFields = append(errItemFields, fmt.Sprintf("%s=%s", k, v))
}
items[idx] = strings.Join(errItemFields, ",")
}
additionalErrorText = strings.Join(items, "\n")
}

if len(additionalErrorText) != 0 {
errText = fmt.Sprintf("%s\n%s", err.Error(), additionalErrorText)
} else {
errText = err.Error()
}

if r.Data == nil {
r.Data = map[string]interface{}{
"error": errText,
}
} else {
r.Data["error"] = errText
}
}

// HelpResponse is used to format a help response
func HelpResponse(text string, seeAlso []string) *Response {
return &Response{
Expand Down
132 changes: 105 additions & 27 deletions vault/token_store.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -339,8 +339,8 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
Description: "Accessor of the token (URL parameter)",
},
"accessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Accessor of the token (request body)",
Type: framework.TypeCommaStringSlice,
Description: "Accessor(s) of the token (request body)",
},
},

Expand Down Expand Up @@ -372,8 +372,8 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
Description: "Token to revoke (URL parameter)",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke (request body)",
Type: framework.TypeCommaStringSlice,
Description: "Token(s) to revoke (request body)",
},
},

Expand Down Expand Up @@ -1039,6 +1039,20 @@ func (ts *TokenStore) RevokeTree(id string) error {
return nil
}

// RevokeTrees is used to invalide multiple tokens and all
// child tokens.
func (ts *TokenStore) RevokeTrees(ids []string) []error {
defer metrics.MeasureSince([]string{"token", "revoke-trees"}, time.Now())

errs := make([]error, len(ids))

for idx, id := range ids {
errs[idx] = ts.RevokeTree(id)
}

return errs
}

// revokeTreeSalted is used to invalide a given token and all
// child tokens using a saltedID.
func (ts *TokenStore) revokeTreeSalted(saltedId string) error {
Expand Down Expand Up @@ -1325,29 +1339,69 @@ func (ts *TokenStore) handleUpdateLookupAccessor(req *logical.Request, data *fra
// the token associated with the accessor
func (ts *TokenStore) handleUpdateRevokeAccessor(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urlaccessor bool
accessor := data.Get("accessor").(string)
if accessor == "" {
accessor = data.Get("urlaccessor").(string)
if accessor == "" {
accessors := data.Get("accessor").([]string)

if len(accessors) == 0 {
accessors = []string{data.Get("urlaccessor").(string)}
if len(accessors) == 0 {
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
urlaccessor = true
}

aEntry, err := ts.lookupByAccessor(accessor, true)
if err != nil {
return nil, err
errs := make([]error, len(accessors))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments below about using hashicorp/go-multierror.

tokens := make([]string, len(accessors))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list may not be the length of the accessor list in the case of errors. I would just set it to length zero and append to the slice.


for idx, accessor := range accessors {
aEntry, err := ts.lookupByAccessor(accessor, true)
if err != nil {
if len(accessors) == 1 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be fine to let this flow through to the error handling blocks.

// backward compatibility with 0.7.3
return nil, err
}
errs[idx] = err
tokens[idx] = ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will need to continue after an error to move on to the next item.

}

tokens[idx] = aEntry.TokenID
}

// Revoke the token and its children
if err := ts.RevokeTree(aEntry.TokenID); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
revokeErrors := ts.RevokeTrees(tokens)

response := &logical.Response{}
failedRevokes := make([]map[string]string, 0, len(revokeErrors))

for idx, revokeError := range revokeErrors {
if errs[idx] == nil {
errs[idx] = revokeError
}

if errs[idx] != nil {
failedRevokes = append(failedRevokes, map[string]string{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I'm not sure what this should be, I'm sure that it should not be a string map.

Possibly the return value should be a slice of the same size as the input with either nulls or error messages. There's no need to return the accessors if the ordering is the same.

Copy link
Author

@ikhahmedov ikhahmedov Jul 15, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly the return value should be a slice of the same size as the input with either nulls or error messages.

I am also not sure about this part, if number of revoked accessors/tokens are small, thats fine, if we are going to revoke millions of tokens at once, response may contain huge unnecessary data millions of nulls or empty strings

There's no need to return the accessors if the ordering is the same

How user will determine which accessors are failed, ordering is same, but not all accessors may fail?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When something returns multiple errors, we normally use hashicorp/go-multierror and I think it would work in this case. I think it would remove a lot of the backwards compatibility logic since it would just contain one error in the case of a single accessor.

"accessor": accessors[idx],
"error": errs[idx].Error(),
})
}
}

if urlaccessor {
resp := &logical.Response{}
resp.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
return resp, nil
response.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
}

if len(accessors) == 1 {
// backward compatibility with 0.7.3
if len(failedRevokes) == 1 {
return logical.ErrorResponse(errs[0].Error()), logical.ErrInvalidRequest
} else if urlaccessor {
return response, nil
} else {
return nil, nil
}
}

if len(failedRevokes) > 0 {
response.SetError(fmt.Errorf("contains failed revokes"), failedRevokes)
return response, nil
}

return nil, nil
Expand Down Expand Up @@ -1793,24 +1847,48 @@ func (ts *TokenStore) handleRevokeSelf(
func (ts *TokenStore) handleRevokeTree(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id == "" {
tokens := data.Get("token").([]string)

if len(tokens) == 0 {
tokens = []string{data.Get("urltoken").(string)}
if len(tokens) == 0 {
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
urltoken = true
}

// Revoke the token and its children
if err := ts.RevokeTree(id); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
revokeErrors := ts.RevokeTrees(tokens)

response := &logical.Response{}
failedRevokes := make([]map[string]string, 0, len(revokeErrors))

for idx, revokeError := range revokeErrors {
if revokeError != nil {
failedRevokes = append(failedRevokes, map[string]string{
"token": tokens[idx],
"error": revokeError.Error(),
})
}
}

if urltoken {
resp := &logical.Response{}
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
return resp, nil
response.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
}

if len(tokens) == 1 {
// backward compatibility with 0.7.3
if len(failedRevokes) == 1 {
return logical.ErrorResponse(revokeErrors[0].Error()), logical.ErrInvalidRequest
} else if urltoken {
return response, nil
} else {
return nil, nil
}
}

if len(failedRevokes) > 0 {
response.SetError(fmt.Errorf("contains failed revokes"), failedRevokes)
return response, nil
}

return nil, nil
Expand Down
113 changes: 113 additions & 0 deletions vault/token_store_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"time"

"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
)

Expand Down Expand Up @@ -393,6 +394,70 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) {
}
}

func TestTokenStore_HandleRequest_RevokeAccessors_Multiple(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
tokenIds := []string{"tokenid1", "tokenid2", "tokenid3"}
accessors := make([]string, len(tokenIds))

for idx, token := range tokenIds {
testMakeToken(t, ts, root, token, "", []string{"foo"})
out, err := ts.Lookup(token)
if err != nil {
t.Fatalf("err: %s", err)
}
if out == nil {
t.Fatalf("err: %s", err)
}

accessors[idx] = out.Accessor
}

req := logical.TestRequest(t, logical.UpdateOperation, "revoke-accessor")
req.Data = map[string]interface{}{
"accessor": accessors,
}

_, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %s", err)
}

for _, token := range tokenIds {
out, err := ts.Lookup(token)
if err != nil {
t.Fatalf("err: %s", err)
}
if out != nil {
t.Fatalf("err: %s", err)
}
}

// revoke again
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %s", err)
}

if !resp.IsError() {
t.Fatalf("response should have an error, but no error found")
}

errorLines := strings.Split(resp.Error().Error(), "\n")
if len(errorLines) < 2 {
t.Fatalf("expected list of failed revokes")
}

for _, line := range errorLines[1:] {
fields := strings.Split(line, ",")
for _, value := range fields {
pair := strings.Split(value, "=")
if pair[0] == "accessor" && !strutil.StrListContains(accessors, pair[1]) {
t.Fatalf("expected: accessor fail when revoking (%s)", pair[1])
}
}
}
}

func TestTokenStore_RootToken(t *testing.T) {
_, ts, _, _ := TestCoreWithTokenStore(t)

Expand Down Expand Up @@ -1267,6 +1332,54 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
}
}

func TestTokenStore_HandleRequest_Revoke_Multiple(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
tokens := []string{"token1", "token2"}
tokenChilds := []string{"token1-sub-child", "token2-sub-child"}

for idx, tokenStr := range tokens {
testMakeToken(t, ts, root, tokenStr, "", []string{"root", "foo"})
testMakeToken(t, ts, tokenStr, tokenChilds[idx], "", []string{"foo"})
}

tokensToRevoke := make([]string, 0, len(tokens)+1)
tokensToRevoke = append(tokens, tokenChilds[0])

tokenListStr := strings.Join(tokensToRevoke, ",")

req := logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data = map[string]interface{}{
"token": tokenListStr,
}
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}

// exclude last token, because it doesn't have a child token
for idx, tokenStr := range tokensToRevoke[:len(tokens)] {
out, err := ts.Lookup(tokenStr)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}

// Sub-child should not exist
out, err = ts.Lookup(tokenChilds[idx])
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
}
}

func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
Expand Down