diff options
author | vnugent <public@vaughnnugent.com> | 2024-05-22 15:28:54 -0400 |
---|---|---|
committer | vnugent <public@vaughnnugent.com> | 2024-05-22 15:28:54 -0400 |
commit | 1350c983c371fdd6a93596c8474345f9168284e1 (patch) | |
tree | 7c6f1815d9a01bec4a97c2f53c3ec0f608222b45 /lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs | |
parent | 5ad520e078414ca26f6144da0aab4e975347a121 (diff) |
Squashed commit of the following:
commit 27fb5382d80d9bcfb4c65974bbae20c5e7b8ccbc
Author: vnugent <public@vaughnnugent.com>
Date: Wed May 22 00:57:34 2024 -0400
feat: Vault environment vars
commit 69f13e43dfdd8069459800ccc3039f45fc884814
Author: vnugent <public@vaughnnugent.com>
Date: Wed May 15 22:04:43 2024 -0400
fix: #3 Defer vault loading until a secret actually needs it
commit c848787d4830a73e9ba93898897282be2f3752f2
Author: vnugent <public@vaughnnugent.com>
Date: Wed May 15 22:02:02 2024 -0400
package updates
commit 21c6c85f540740ac29536a7091346a731aa85148
Author: vnugent <public@vaughnnugent.com>
Date: Wed May 15 22:01:16 2024 -0400
fix: #3 Error raised when managed password type disposed
commit 8e77289041349b16536497f48f0c0a4ec6fe30f5
Author: vnugent <public@vaughnnugent.com>
Date: Thu May 2 15:44:42 2024 -0400
feat: #2 Middleware helpers, proj cleanup, fix sync secrets, vault client
commit e0a5c85297516188e57b54d9b530b2482cb03eb0
Merge: a977dab 5ad520e
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 17:44:09 2024 -0400
Merge branch 'master' into develop
commit a977dabef1dec915e00f755cb3ee3363aa9985f1
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 17:26:35 2024 -0400
chore: package updates
commit a2e2c3c4152d000b8df25c3c3fee14d491aab2c6
Merge: f03b727 87bfa83
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 20 12:11:45 2024 -0400
Merge branch 'master' into develop
commit f03b727d8f8e52f1dbd6293ea5c5a492c6d8e2da
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 20 12:02:07 2024 -0400
chore: Package updates
Diffstat (limited to 'lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs')
-rw-r--r-- | lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs | 151 |
1 files changed, 58 insertions, 93 deletions
diff --git a/lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs b/lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs index a06f490..885f22f 100644 --- a/lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs +++ b/lib/VNLib.Plugins.Extensions.Loading/src/Secrets/HCVaultClient.cs @@ -30,7 +30,6 @@ using System.Net; using System.Net.Http; using System.Net.Sockets; using System.Net.Security; -using System.Diagnostics; using System.Threading.Tasks; using System.Collections.Generic; using System.Text.Json.Serialization; @@ -50,7 +49,12 @@ using VNLib.Utils.Extensions; namespace VNLib.Plugins.Extensions.Loading { - internal sealed class HCVaultClient : VnDisposeable, IHCVaultClient + + /// <summary> + /// A concret implementation of a Hashicorp Vault client instance used to + /// retrieve key-value secrets from a server + /// </summary> + public sealed class HCVaultClient : VnDisposeable, IKvVaultClient { const string VaultTokenHeaderName = "X-Vault-Token"; const long MaxErrResponseContentLength = 8192; @@ -62,7 +66,7 @@ namespace VNLib.Plugins.Extensions.Loading private readonly int _kvVersion; private readonly IUnmangedHeap _bufferHeap; - HCVaultClient(string serverAddress, string hcToken, int kvVersion, bool trustCert, IUnmangedHeap heap) + private HCVaultClient(string serverAddress, string hcToken, int kvVersion, bool trustCert, IUnmangedHeap heap) { #pragma warning disable CA2000 // Dispose objects before losing scope HttpClientHandler handler = new() @@ -99,17 +103,17 @@ namespace VNLib.Plugins.Extensions.Loading /// Creates a new Hashicorp vault client with the given server address, token, and KV storage version /// </summary> /// <param name="serverAddress">The vault server address</param> - /// <param name="hcToken">The vault token used to connect to the vault server</param> + /// <param name="token">The vault token used to connect to the vault server</param> /// <param name="kvVersion">The hc vault Key value store version (must be 1 or 2)</param> /// <param name="trustCert">A value that tells the HTTP client to trust the Vault server's certificate even if it's not valid</param> /// <param name="heap">Heap instance to allocate internal buffers from</param> /// <returns>The new client instance</returns> /// <exception cref="ArgumentException"></exception> /// <exception cref="ArgumentNullException"></exception> - public static HCVaultClient Create(string serverAddress, string hcToken, int kvVersion, bool trustCert, IUnmangedHeap heap) + public static HCVaultClient Create(string serverAddress, string token, int kvVersion, bool trustCert, IUnmangedHeap heap) { ArgumentException.ThrowIfNullOrEmpty(serverAddress); - ArgumentException.ThrowIfNullOrEmpty(hcToken); + ArgumentException.ThrowIfNullOrEmpty(token); ArgumentNullException.ThrowIfNull(heap); if(kvVersion != 1 && kvVersion != 2) @@ -117,7 +121,29 @@ namespace VNLib.Plugins.Extensions.Loading throw new ArgumentException($"Unsupported vault KV storage version {kvVersion}, must be either 1 or 2"); } - return new HCVaultClient(serverAddress, hcToken, kvVersion, trustCert, heap); + return new HCVaultClient(serverAddress, token, kvVersion, trustCert, heap); + } + + /// <summary> + /// Creates a new Hashicorp vault client from the default Vault environment + /// variables VAULT_ADDR and VAULT_TOKEN. From client documentation + /// </summary> + /// <param name="kvVersion">The hc vault Key value store version (must be 1 or 2)</param> + /// <param name="trustCert">A value that tells the HTTP client to trust the Vault server's certificate even if it's not valid</param> + /// <param name="heap">Heap instance to allocate internal buffers from</param> + /// <returns>The new client instance</returns> + /// <exception cref="ArgumentException"></exception> + /// <exception cref="ArgumentNullException"></exception> + /// <exception cref="KeyNotFoundException"></exception> + public static HCVaultClient CreateFromEnv(int kvVersion, bool trustCert, IUnmangedHeap heap) + { + string address = Environment.GetEnvironmentVariable("VAULT_ADDR") + ?? throw new KeyNotFoundException("VAULT_ADDR environment variable not found"); + + string token = Environment.GetEnvironmentVariable("VAULT_TOKEN") + ?? throw new KeyNotFoundException("VAULT_TOKEN environment variable not found"); + + return Create(address, token, kvVersion, trustCert, heap); } ///<inheritdoc/> @@ -137,10 +163,10 @@ namespace VNLib.Plugins.Extensions.Loading using HttpResponseMessage response = await _client.SendAsync(ms, HttpCompletionOption.ResponseHeadersRead); //Check if an error occured in the response - await ProcessVaultErrorResponseAsync(response, true); + await ProcessVaultErrorResponseAsync(response); //Read the response async - using SecretResponse res = await ReadSecretResponse(response.Content, true); + using SecretResponse res = await ReadSecretResponse(response.Content); return FromResponse(res, secretName); } @@ -160,90 +186,42 @@ namespace VNLib.Plugins.Extensions.Loading } ///<inheritdoc/> + ///<exception cref="TimeoutException"></exception> public ISecretResult? ReadSecret(string path, string mountPoint, string secretName) { - string secretPath = GetSecretPathForKvVersion(_kvVersion, path, mountPoint); - using HttpRequestMessage ms = GetRequestMessageForPath(secretPath); - - try - { - //Exec the response synchronously - using HttpResponseMessage response = _client.Send(ms, HttpCompletionOption.ResponseHeadersRead); - - /* - * It is safe to await the error result here because its - * already completed when the async flag is false - */ - ValueTask errTask = ProcessVaultErrorResponseAsync(response, false); - Debug.Assert(errTask.IsCompleted); - errTask.GetAwaiter().GetResult(); - - //Did not throw, handle a secret response - - ValueTask<SecretResponse> resTask = ReadSecretResponse(response.Content, false); - Debug.Assert(resTask.IsCompleted); - - //Always wrap response in using to clean memory - using SecretResponse res = resTask.GetAwaiter().GetResult(); + /* + * Since this method will syncrhonously block the calling thread, a new + * task must be created to ignore the current async context and run the + * funciton in an new context to block safely without causing a deadlock. + */ - return FromResponse(res, secretName); - } - catch (HttpRequestException he) when (he.InnerException is SocketException se) - { - throw se.SocketErrorCode switch - { - SocketError.HostNotFound => new HCVaultException("Failed to connect to Hashicorp Vault server, because it's DNS hostname could not be resolved"), - SocketError.ConnectionRefused => new HCVaultException("Failed to establish a TCP connection to the vault server, the server refused the connection"), - _ => new HCVaultException("Failed to establish a TCP connection to the vault server, see inner exception", se), - }; - } - catch (Exception ex) + Task<ISecretResult?> asAsync = Task.Run(() => ReadSecretAsync(path, mountPoint, secretName)); + + if(!asAsync.Wait(ClientDefaultTimeout)) { - throw new HCVaultException("Failed to retreive secret from Hashicorp Vault server, see inner exception", ex); + throw new TimeoutException("Failed to retreive the secret from the vault in the configured timeout period"); } + + return asAsync.Result; } - private ValueTask<SecretResponse> ReadSecretResponse(HttpContent content, bool async) + private async Task<SecretResponse> ReadSecretResponse(HttpContent content) { - SecretResponse res = new(DefaultBufferSize, _bufferHeap); + SecretResponse response = new(DefaultBufferSize, _bufferHeap); + try { - if (async) - { - return ReadStreamAsync(content, res); - } - else - { - //Read into a memory stream - content.CopyTo(res.StreamData, null, default); - res.ResetStream(); + await content.CopyToAsync(response.StreamData); - return ValueTask.FromResult(res); - } + response.ResetStream(); + + return response; } catch { - res.Dispose(); + response.Dispose(); throw; } - - async static ValueTask<SecretResponse> ReadStreamAsync(HttpContent content, SecretResponse response) - { - try - { - await content.CopyToAsync(response.StreamData); - - response.ResetStream(); - - return response; - } - catch - { - response.Dispose(); - throw; - } - } - } private static string GetSecretPathForKvVersion(int version, string path, string mount) @@ -288,7 +266,7 @@ namespace VNLib.Plugins.Extensions.Loading return null; } - private static ValueTask ProcessVaultErrorResponseAsync(HttpResponseMessage response, bool async) + private static ValueTask ProcessVaultErrorResponseAsync(HttpResponseMessage response) { if (response.IsSuccessStatusCode) { @@ -322,12 +300,12 @@ namespace VNLib.Plugins.Extensions.Loading ); } - return async ? ExceptionsFromContentAsync(response) : ExceptionsFromContent(response); + return ExceptionsFromContentAsync(response); static ValueTask ExceptionFromVaultErrors(HttpStatusCode code, VaultErrorMessage? errs) { //If the error message is null, raise an exception - if (errs == null || errs.Errors == null || errs.Errors.Length == 0) + if (errs?.Errors is null || errs.Errors.Length == 0) { return ValueTask.FromException( new HttpRequestException($"Failed to fetch secret from vault with error code {code}") @@ -352,19 +330,6 @@ namespace VNLib.Plugins.Extensions.Loading await ExceptionFromVaultErrors(response.StatusCode, errs); } - - static ValueTask ExceptionsFromContent(HttpResponseMessage response) - { -#pragma warning disable CA1849 // Call async methods when in an async method - - //Read the error content stream and deserialize - using Stream stream = response.Content.ReadAsStream(); - VaultErrorMessage? errs = JsonSerializer.Deserialize<VaultErrorMessage>(stream); - -#pragma warning restore CA1849 // Call async methods when in an async method - - return ExceptionFromVaultErrors(response.StatusCode, errs); - } } |