Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revoke multiple tokens/accessors #2922

Closed
wants to merge 7 commits into from
Closed

Revoke multiple tokens/accessors #2922

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6d36c84
revoke multiple accessor/tokens in HTTP API
iahmedov Jun 23, 2017
57f22d3
return failed revokes in error
iahmedov Jun 24, 2017
22811a9
Merge branch 'master' into issue_2864_revoke_multiple
iahmedov Jun 24, 2017
bb88dae
exclude failed tokens
iahmedov Jun 24, 2017
fc1c616
fix test fails, old version rely on len(r.Data) == 1
iahmedov Jun 26, 2017
4d33f2e
fix crash in tests and remove unused function from logical.Response
iahmedov Jun 26, 2017
6fa7596
removed multiple accessor/token from url, backward compatible respons…
iahmedov Jul 15, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions logical/response.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package logical

import (
"errors"
"fmt"
"strings"

"github.com/hashicorp/vault/helper/wrapping"
)
Expand Down Expand Up @@ -81,6 +83,36 @@ func (r *Response) Error() error {
return nil
}

func (r *Response) SetError(err error, errorData interface{}) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we need this method on the response struct. I would much rather formatting of the errors being handled by the caller instead of trying to generalize it here.

var additionalErrorText, errText string = "", ""
switch m := errorData.(type) {
case []map[string]string:
items := make([]string, len(m))
for idx, errItem := range m {
errItemFields := make([]string, 0, len(errItem))
for k, v := range errItem {
errItemFields = append(errItemFields, fmt.Sprintf("%s=%s", k, v))
}
items[idx] = strings.Join(errItemFields, ",")
}
additionalErrorText = strings.Join(items, "\n")
}

if len(additionalErrorText) != 0 {
errText = fmt.Sprintf("%s\n%s", err.Error(), additionalErrorText)
} else {
errText = err.Error()
}

if r.Data == nil {
r.Data = map[string]interface{}{
"error": errText,
}
} else {
r.Data["error"] = errText
}
}

// HelpResponse is used to format a help response
func HelpResponse(text string, seeAlso []string) *Response {
return &Response{
Expand Down
120 changes: 87 additions & 33 deletions vault/token_store.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,12 +335,12 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)

Fields: map[string]*framework.FieldSchema{
"urlaccessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Accessor of the token (URL parameter)",
Type: framework.TypeCommaStringSlice,
Description: "Accessor(s) of the token (URL parameter)",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The URL parameter can't be used in this way, and it's also deprecated. Just the request body is sufficient.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

},
"accessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Accessor of the token (request body)",
Type: framework.TypeCommaStringSlice,
Description: "Accessor(s) of the token (request body)",
},
},

Expand Down Expand Up @@ -368,12 +368,12 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)

Fields: map[string]*framework.FieldSchema{
"urltoken": &framework.FieldSchema{
Type: framework.TypeString,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

Description: "Token to revoke (URL parameter)",
Type: framework.TypeCommaStringSlice,
Description: "Token(s) to revoke (URL parameter)",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke (request body)",
Type: framework.TypeCommaStringSlice,
Description: "Token(s) to revoke (request body)",
},
},

Expand Down Expand Up @@ -1039,6 +1039,20 @@ func (ts *TokenStore) RevokeTree(id string) error {
return nil
}

// RevokeTrees is used to invalide multiple tokens and all
// child tokens.
func (ts *TokenStore) RevokeTrees(ids []string) []error {
defer metrics.MeasureSince([]string{"token", "revoke-trees"}, time.Now())

errs := make([]error, len(ids))

for idx, id := range ids {
errs[idx] = ts.RevokeTree(id)
}

return errs
}

// revokeTreeSalted is used to invalide a given token and all
// child tokens using a saltedID.
func (ts *TokenStore) revokeTreeSalted(saltedId string) error {
Expand Down Expand Up @@ -1325,32 +1339,58 @@ func (ts *TokenStore) handleUpdateLookupAccessor(req *logical.Request, data *fra
// the token associated with the accessor
func (ts *TokenStore) handleUpdateRevokeAccessor(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urlaccessor bool
accessor := data.Get("accessor").(string)
if accessor == "" {
accessor = data.Get("urlaccessor").(string)
if accessor == "" {
accessors := data.Get("accessor").([]string)

if len(accessors) == 0 {
accessors = data.Get("urlaccessor").([]string)
if len(accessors) == 0 {
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
urlaccessor = true
}

aEntry, err := ts.lookupByAccessor(accessor, true)
if err != nil {
return nil, err
errs := make([]error, len(accessors))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments below about using hashicorp/go-multierror.

tokens := make([]string, len(accessors))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list may not be the length of the accessor list in the case of errors. I would just set it to length zero and append to the slice.


for idx, accessor := range accessors {
aEntry, err := ts.lookupByAccessor(accessor, true)
if err != nil {
errs[idx] = err
tokens[idx] = ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will need to continue after an error to move on to the next item.

}

tokens[idx] = aEntry.TokenID
}

// Revoke the token and its children
if err := ts.RevokeTree(aEntry.TokenID); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
revokeErrors := ts.RevokeTrees(tokens)

response := &logical.Response{}
failedRevokes := make([]map[string]string, 0, len(revokeErrors))

for idx, revokeError := range revokeErrors {
if errs[idx] == nil {
errs[idx] = revokeError
}

if errs[idx] != nil {
failedRevokes = append(failedRevokes, map[string]string{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I'm not sure what this should be, I'm sure that it should not be a string map.

Possibly the return value should be a slice of the same size as the input with either nulls or error messages. There's no need to return the accessors if the ordering is the same.

Copy link
Author

@ikhahmedov ikhahmedov Jul 15, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly the return value should be a slice of the same size as the input with either nulls or error messages.

I am also not sure about this part, if number of revoked accessors/tokens are small, thats fine, if we are going to revoke millions of tokens at once, response may contain huge unnecessary data millions of nulls or empty strings

There's no need to return the accessors if the ordering is the same

How user will determine which accessors are failed, ordering is same, but not all accessors may fail?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When something returns multiple errors, we normally use hashicorp/go-multierror and I think it would work in this case. I think it would remove a lot of the backwards compatibility logic since it would just contain one error in the case of a single accessor.

"accessor": accessors[idx],
"error": errs[idx].Error(),
})
}
}

if len(failedRevokes) > 0 {
response.SetError(fmt.Errorf("contains failed revokes"), failedRevokes)
}

if urlaccessor {
resp := &logical.Response{}
resp.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
return resp, nil
response.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
} else if len(failedRevokes) == 0 {
return nil, nil
}

return nil, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If only a single accessor is given, the previous return values should be retained.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

return response, nil
}

// handleCreate handles the auth/token/create path for creation of new orphan
Expand Down Expand Up @@ -1793,27 +1833,41 @@ func (ts *TokenStore) handleRevokeSelf(
func (ts *TokenStore) handleRevokeTree(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id == "" {
tokens := data.Get("token").([]string)

if len(tokens) == 0 {
tokens = data.Get("urltoken").([]string)
if len(tokens) == 0 {
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
urltoken = true
}

// Revoke the token and its children
if err := ts.RevokeTree(id); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
revokeErrors := ts.RevokeTrees(tokens)

response := &logical.Response{}
failedRevokes := make([]map[string]string, 0, len(revokeErrors))

for idx, revokeError := range revokeErrors {
if revokeError != nil {
failedRevokes = append(failedRevokes, map[string]string{
"token": tokens[idx],
"error": revokeError.Error(),
})
}
}

if len(failedRevokes) > 0 {
response.SetError(fmt.Errorf("contains failed revokes"), failedRevokes)
}

if urltoken {
resp := &logical.Response{}
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
return resp, nil
response.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
} else if len(failedRevokes) == 0 {
return nil, nil
}

return nil, nil
return response, nil
}

// handleRevokeOrphan handles the auth/token/revoke-orphan/id path for revocation of tokens
Expand Down
113 changes: 113 additions & 0 deletions vault/token_store_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"time"

"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
)

Expand Down Expand Up @@ -393,6 +394,70 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) {
}
}

func TestTokenStore_HandleRequest_RevokeAccessors_Multiple(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
tokenIds := []string{"tokenid1", "tokenid2", "tokenid3"}
accessors := make([]string, len(tokenIds))

for idx, token := range tokenIds {
testMakeToken(t, ts, root, token, "", []string{"foo"})
out, err := ts.Lookup(token)
if err != nil {
t.Fatalf("err: %s", err)
}
if out == nil {
t.Fatalf("err: %s", err)
}

accessors[idx] = out.Accessor
}

req := logical.TestRequest(t, logical.UpdateOperation, "revoke-accessor")
req.Data = map[string]interface{}{
"accessor": accessors,
}

_, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %s", err)
}

for _, token := range tokenIds {
out, err := ts.Lookup(token)
if err != nil {
t.Fatalf("err: %s", err)
}
if out != nil {
t.Fatalf("err: %s", err)
}
}

// revoke again
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %s", err)
}

if !resp.IsError() {
t.Fatalf("response should have an error, but no error found")
}

errorLines := strings.Split(resp.Error().Error(), "\n")
if len(errorLines) < 2 {
t.Fatalf("expected list of failed revokes")
}

for _, line := range errorLines[1:] {
fields := strings.Split(line, ",")
for _, value := range fields {
pair := strings.Split(value, "=")
if pair[0] == "accessor" && !strutil.StrListContains(accessors, pair[1]) {
t.Fatalf("expected: accessor fail when revoking (%s)", pair[1])
}
}
}
}

func TestTokenStore_RootToken(t *testing.T) {
_, ts, _, _ := TestCoreWithTokenStore(t)

Expand Down Expand Up @@ -1267,6 +1332,54 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
}
}

func TestTokenStore_HandleRequest_Revoke_Multiple(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
tokens := []string{"token1", "token2"}
tokenChilds := []string{"token1-sub-child", "token2-sub-child"}

for idx, tokenStr := range tokens {
testMakeToken(t, ts, root, tokenStr, "", []string{"root", "foo"})
testMakeToken(t, ts, tokenStr, tokenChilds[idx], "", []string{"foo"})
}

tokensToRevoke := make([]string, 0, len(tokens)+1)
tokensToRevoke = append(tokens, tokenChilds[0])

tokenListStr := strings.Join(tokensToRevoke, ",")

req := logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data = map[string]interface{}{
"token": tokenListStr,
}
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}

// exclude last token, because it doesn't have a child token
for idx, tokenStr := range tokensToRevoke[:len(tokens)] {
out, err := ts.Lookup(tokenStr)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}

// Sub-child should not exist
out, err = ts.Lookup(tokenChilds[idx])
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
}
}

func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
Expand Down