Fix lease expiration for non-master nodes

Michael Weber · Michael Weber · commit f0886fd177a8 · 2020-01-21T02:49:53.000-08:00
plumb node name through to lease data.
diff --git a/path_config_connection.go b/path_config_connection.go
@@ -35,7 +35,7 @@ func (b *backend) pathConfigConnection() *framework.Path {
 			},
 			"is_standalone": &framework.FieldSchema{
 				Type:        framework.TypeBool,
-				Description: "Whether this is a standalone or multi-node deployment",
+				Description: `Whether this is a standalone or multi-node deployment.  Default: false`,
 				Default:     false,
 			},
 			"allowed_roles": &framework.FieldSchema{
@@ -64,7 +64,7 @@ func (b *backend) pathConfigConnection() *framework.Path {
 				Default: "tls12",
 				Description: trimIndent(`
 				Minimum TLS version to use. Accepted values are "tls10", "tls11" or
-				"tls12". Defaults to "tls12".`),
+				"tls12".  Default: "tls12".`),
 			},
 			"pem_bundle": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -87,7 +87,7 @@ func (b *backend) pathConfigConnection() *framework.Path {
 			"connect_timeout": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Default:     "30s",
-				Description: `The connection timeout to use. Default: 30s.`,
+				Description: `The connection timeout to use.  Default: 30s.`,
 			},
 		},
 
diff --git a/path_creds_create.go b/path_creds_create.go
@@ -13,8 +13,9 @@ import (
 
 const (
 	SEARCHHEAD = "search_head"
-	INDEXER = "indexer"
+	INDEXER    = "indexer"
 )
+
 func (b *backend) pathCredsCreate() *framework.Path {
 	return &framework.Path{
 		Pattern: "creds/" + framework.GenericNameRegex("name"),
@@ -161,7 +162,7 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 	}
 	// Check if isStandalone is set
 	if config.IsStandalone {
-		return nil, fmt.Errorf("expected is_standalone to be set for connection: %q", role.Connection)
+		return nil, fmt.Errorf("expected is_standalone to be unset for connection: %q", role.Connection)
 	}
 
 	// If role name isn't in allowed roles, send back a permission denied.
@@ -186,8 +187,8 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 
 	// Re-create connection for node
 	config.URL = "https://" + nodeFQDN + ":8089"
-	config.ID = ""
-	conn, err = b.ensureConnection(ctx, config)
+	// XXX config.ID = ""
+	conn, err = config.newConnection(ctx) // XXX cache
 	if err != nil {
 		return nil, err
 	}
@@ -230,6 +231,7 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 		"username":   username,
 		"role":       name,
 		"connection": role.Connection,
+		"node_fqdn":  nodeFQDN,
 	})
 	resp.Secret.TTL = role.DefaultTTL
 	resp.Secret.MaxTTL = role.MaxTTL
diff --git a/secret_creds.go b/secret_creds.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
+	"github.com/splunk/vault-plugin-splunk/clients/splunk"
 )
 
 const secretCredsType = "creds"
@@ -35,6 +36,12 @@ func (b *backend) secretCredsRenewHandler(ctx context.Context, req *logical.Requ
 		return nil, fmt.Errorf("error during renew: could not find role with name %q", roleName)
 	}
 
+	nodeFQDN := ""
+	nodeFQDNRaw, ok := req.Secret.InternalData["node_fqdn"]
+	if ok {
+		nodeFQDN = nodeFQDNRaw.(string)
+	}
+
 	// Make sure we increase the VALID UNTIL endpoint for this user.
 	ttl, _, err := framework.CalculateTTL(b.System(), req.Secret.Increment, role.DefaultTTL, 0, role.MaxTTL, 0, req.Secret.IssueTime)
 	if err != nil {
@@ -51,7 +58,7 @@ func (b *backend) secretCredsRenewHandler(ctx context.Context, req *logical.Requ
 		if err != nil {
 			return nil, err
 		}
-		conn, err := b.ensureConnection(ctx, config)
+		conn, err := b.ensureNodeConnection(ctx, config, nodeFQDN)
 		if err != nil {
 			return nil, err
 		}
@@ -74,6 +81,11 @@ func (b *backend) secretCredsRevokeHandler(ctx context.Context, req *logical.Req
 	if !ok {
 		return nil, fmt.Errorf("unable to convert connection name")
 	}
+	nodeFQDN := ""
+	nodeFQDNRaw, ok := req.Secret.InternalData["node_fqdn"]
+	if ok {
+		nodeFQDN = nodeFQDNRaw.(string)
+	}
 	usernameRaw, ok := req.Secret.InternalData["username"]
 	if !ok {
 		return nil, fmt.Errorf("username is missing on the lease")
@@ -84,7 +96,7 @@ func (b *backend) secretCredsRevokeHandler(ctx context.Context, req *logical.Req
 	if err != nil {
 		return nil, err
 	}
-	conn, err := b.ensureConnection(ctx, config)
+	conn, err := b.ensureNodeConnection(ctx, config, nodeFQDN)
 	if err != nil {
 		return nil, err
 	}
@@ -95,3 +107,15 @@ func (b *backend) secretCredsRevokeHandler(ctx context.Context, req *logical.Req
 	}
 	return nil, nil
 }
+
+func (b *backend) ensureNodeConnection(ctx context.Context, config *splunkConfig, nodeFQDN string) (*splunk.API, error) {
+	b.Logger().Debug(fmt.Sprintf("connection for node_fqdn: [%s]", nodeFQDN))
+	if nodeFQDN == "" {
+		return b.ensureConnection(ctx, config)
+	}
+
+	// we connect to a node, not the cluster master
+	nodeConfig := *config
+	nodeConfig.URL = "https://" + nodeFQDN + ":8089"
+	return nodeConfig.newConnection(ctx) // XXX cache
+}
