From 1ae94fae173ec921f5fcb6aebd56ca3f30a54f44 Mon Sep 17 00:00:00 2001 From: Michael Aldridge Date: Thu, 2 Sep 2021 21:54:37 -0500 Subject: [PATCH] vault: update to 1.8.2. --- srcpkgs/vault/patches/pr12358.patch | 313 ++++++++++++++++++++++++++++ srcpkgs/vault/template | 9 +- 2 files changed, 317 insertions(+), 5 deletions(-) create mode 100644 srcpkgs/vault/patches/pr12358.patch diff --git a/srcpkgs/vault/patches/pr12358.patch b/srcpkgs/vault/patches/pr12358.patch new file mode 100644 index 0000000000..f0b840397c --- /dev/null +++ b/srcpkgs/vault/patches/pr12358.patch @@ -0,0 +1,313 @@ +From 83fa452c245bbee4e491a9341710d377c23f5c79 Mon Sep 17 00:00:00 2001 +From: "Scott G. Miller" +Date: Wed, 18 Aug 2021 20:49:41 -0400 +Subject: [PATCH 1/5] Upgrade go-limiter + +--- + go.mod | 2 +- + go.sum | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/go.mod b/go.mod +index eea85d2e11c..553ed07c28f 100644 +--- a/go.mod ++++ b/go.mod +@@ -160,7 +160,7 @@ require ( + github.com/ryanuber/go-glob v1.0.0 + github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da + github.com/sasha-s/go-deadlock v0.2.0 +- github.com/sethvargo/go-limiter v0.3.0 ++ github.com/sethvargo/go-limiter v0.7.0 + github.com/shirou/gopsutil v3.21.5+incompatible + github.com/stretchr/testify v1.7.0 + github.com/tencentcloud/tencentcloud-sdk-go v3.0.171+incompatible // indirect +diff --git a/go.sum b/go.sum +index 6c0e366f593..894a1e6015d 100644 +--- a/go.sum ++++ b/go.sum +@@ -1121,6 +1121,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUt + github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= + github.com/sethvargo/go-limiter v0.3.0 h1:yRMc+Qs2yqw6YJp6UxrO2iUs6DOSq4zcnljbB7/rMns= + github.com/sethvargo/go-limiter v0.3.0/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU= ++github.com/sethvargo/go-limiter v0.7.0 h1:CSvIHUxzNBVmsopHcMmYANZMsJFFJTi9kO+Ms+EYIhM= ++github.com/sethvargo/go-limiter v0.7.0/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU= + github.com/shirou/gopsutil v3.21.5+incompatible h1:OloQyEerMi7JUrXiNzy8wQ5XN+baemxSl12QgIzt0jc= + github.com/shirou/gopsutil v3.21.5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= + github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE= + +From 43e8a7569e29071d5521651ae181e7ca21a9bb4a Mon Sep 17 00:00:00 2001 +From: "Scott G. Miller" +Date: Wed, 18 Aug 2021 20:49:59 -0400 +Subject: [PATCH 2/5] Modify quota system to pass contexts to upgraded + go-limiter + +--- + vault/quotas/quotas.go | 12 ++++++------ + vault/quotas/quotas_rate_limit.go | 13 +++++++++---- + vault/quotas/quotas_util.go | 4 ++-- + 3 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/vault/quotas/quotas.go b/vault/quotas/quotas.go +index 99dc80e621d..f68e504ddec 100644 +--- a/vault/quotas/quotas.go ++++ b/vault/quotas/quotas.go +@@ -168,7 +168,7 @@ type Manager struct { + // Quota represents the common properties of every quota type + type Quota interface { + // allow checks the if the request is allowed by the quota type implementation. +- allow(*Request) (Response, error) ++ allow(context.Context, *Request) (Response, error) + + // quotaID is the identifier of the quota rule + quotaID() string +@@ -181,7 +181,7 @@ type Quota interface { + + // close defines any cleanup behavior that needs to be executed when a quota + // rule is deleted. +- close() error ++ close(context.Context) error + + // handleRemount takes in the new mount path in the quota + handleRemount(string) +@@ -287,7 +287,7 @@ func (m *Manager) setQuotaLocked(ctx context.Context, qType string, quota Quota, + // If there already exists an entry in the db, remove that first. + if raw != nil { + quota := raw.(Quota) +- if err := quota.close(); err != nil { ++ if err := quota.close(ctx); err != nil { + return err + } + err = txn.Delete(qType, raw) +@@ -518,7 +518,7 @@ func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) er + } + + quota := raw.(Quota) +- if err := quota.close(); err != nil { ++ if err := quota.close(ctx); err != nil { + return err + } + +@@ -541,7 +541,7 @@ func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) er + // ApplyQuota runs the request against any quota rule that is applicable to it. If + // there are multiple quota rule that matches the request parameters, rule that + // takes precedence will be used to allow/reject the request. +-func (m *Manager) ApplyQuota(req *Request) (Response, error) { ++func (m *Manager) ApplyQuota(ctx context.Context, req *Request) (Response, error) { + var resp Response + + quota, err := m.QueryQuota(req) +@@ -562,7 +562,7 @@ func (m *Manager) ApplyQuota(req *Request) (Response, error) { + return resp, nil + } + +- return quota.allow(req) ++ return quota.allow(ctx, req) + } + + // SetEnableRateLimitAuditLogging updates the operator preference regarding the +diff --git a/vault/quotas/quotas_rate_limit.go b/vault/quotas/quotas_rate_limit.go +index 64117b00201..ad58b2af322 100644 +--- a/vault/quotas/quotas_rate_limit.go ++++ b/vault/quotas/quotas_rate_limit.go +@@ -1,6 +1,7 @@ + package quotas + + import ( ++ "context" + "encoding/hex" + "fmt" + "math" +@@ -264,7 +265,7 @@ func (rlq *RateLimitQuota) QuotaName() string { + // returned if the request ID or address is empty. If the path is exempt, the + // quota will not be evaluated. Otherwise, the client rate limiter is retrieved + // by address and the rate limit quota is checked against that limiter. +-func (rlq *RateLimitQuota) allow(req *Request) (Response, error) { ++func (rlq *RateLimitQuota) allow(ctx context.Context, req *Request) (Response, error) { + resp := Response{ + Headers: make(map[string]string), + } +@@ -300,7 +301,11 @@ func (rlq *RateLimitQuota) allow(req *Request) (Response, error) { + } + } + +- limit, remaining, reset, allow := rlq.store.Take(req.ClientAddress) ++ limit, remaining, reset, allow, err := rlq.store.Take(ctx, req.ClientAddress) ++ if err != nil { ++ return resp, err ++ } ++ + resp.Allowed = allow + resp.Headers[httplimit.HeaderRateLimitLimit] = strconv.FormatUint(limit, 10) + resp.Headers[httplimit.HeaderRateLimitRemaining] = strconv.FormatUint(remaining, 10) +@@ -320,13 +325,13 @@ func (rlq *RateLimitQuota) allow(req *Request) (Response, error) { + + // close stops the current running client purge loop. + // It should be called with the write lock held. +-func (rlq *RateLimitQuota) close() error { ++func (rlq *RateLimitQuota) close(ctx context.Context) error { + if rlq.purgeBlocked { + close(rlq.closePurgeBlockedCh) + } + + if rlq.store != nil { +- return rlq.store.Close() ++ return rlq.store.Close(ctx) + } + + return nil +diff --git a/vault/quotas/quotas_util.go b/vault/quotas/quotas_util.go +index dc2fcdfacc6..7c0732f673b 100644 +--- a/vault/quotas/quotas_util.go ++++ b/vault/quotas/quotas_util.go +@@ -40,7 +40,7 @@ func (*entManager) Reset() error { + + type LeaseCountQuota struct{} + +-func (l LeaseCountQuota) allow(request *Request) (Response, error) { ++func (l LeaseCountQuota) allow(_ context.Context, _ *Request) (Response, error) { + panic("implement me") + } + +@@ -56,7 +56,7 @@ func (l LeaseCountQuota) initialize(logger log.Logger, sink *metricsutil.Cluster + panic("implement me") + } + +-func (l LeaseCountQuota) close() error { ++func (l LeaseCountQuota) close(_ context.Context) error { + panic("implement me") + } + + +From 2d2fda4511baeacc810499da552e3ff680bfe0a6 Mon Sep 17 00:00:00 2001 +From: "Scott G. Miller" +Date: Wed, 18 Aug 2021 20:52:08 -0400 +Subject: [PATCH 3/5] One more spot + +--- + http/util.go | 2 +- + vault/core.go | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/http/util.go b/http/util.go +index 0550a93c7e6..cbb364843c3 100644 +--- a/http/util.go ++++ b/http/util.go +@@ -48,7 +48,7 @@ func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler + return + } + +- quotaResp, err := core.ApplyRateLimitQuota("as.Request{ ++ quotaResp, err := core.ApplyRateLimitQuota(r.Context(), "as.Request{ + Type: quotas.TypeRateLimit, + Path: path, + MountPath: strings.TrimPrefix(core.MatchingMount(r.Context(), path), ns.Path), +diff --git a/vault/core.go b/vault/core.go +index 7d629099f70..79308173026 100644 +--- a/vault/core.go ++++ b/vault/core.go +@@ -2722,7 +2722,7 @@ func (c *Core) setupQuotas(ctx context.Context, isPerfStandby bool) error { + + // ApplyRateLimitQuota checks the request against all the applicable quota rules. + // If the given request's path is exempt, no rate limiting will be applied. +-func (c *Core) ApplyRateLimitQuota(req *quotas.Request) (quotas.Response, error) { ++func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error) { + req.Type = quotas.TypeRateLimit + + resp := quotas.Response{ +@@ -2736,7 +2736,7 @@ func (c *Core) ApplyRateLimitQuota(req *quotas.Request) (quotas.Response, error) + return resp, nil + } + +- return c.quotaManager.ApplyQuota(req) ++ return c.quotaManager.ApplyQuota(ctx, req) + } + + return resp, nil + +From b535a57ce36123b0968fa19ec29c75974f59d265 Mon Sep 17 00:00:00 2001 +From: "Scott G. Miller" +Date: Wed, 1 Sep 2021 15:54:19 -0500 +Subject: [PATCH 4/5] Add context vars to unit tests + +--- + vault/quotas/quotas_rate_limit_test.go | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/vault/quotas/quotas_rate_limit_test.go b/vault/quotas/quotas_rate_limit_test.go +index 27225e3381e..944b5a67868 100644 +--- a/vault/quotas/quotas_rate_limit_test.go ++++ b/vault/quotas/quotas_rate_limit_test.go +@@ -37,7 +37,7 @@ func TestNewRateLimitQuota(t *testing.T) { + err := tc.rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink()) + require.Equal(t, tc.expectErr, err != nil, err) + if err == nil { +- require.Nil(t, tc.rlq.close()) ++ require.Nil(t, tc.rlq.close(context.Background())) + } + }) + } +@@ -46,7 +46,7 @@ func TestNewRateLimitQuota(t *testing.T) { + func TestRateLimitQuota_Close(t *testing.T) { + rlq := NewRateLimitQuota("test-rate-limiter", "qa", "/foo/bar", 16.7, time.Second, time.Minute) + require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink())) +- require.NoError(t, rlq.close()) ++ require.NoError(t, rlq.close(context.Background())) + + time.Sleep(time.Second) // allow enough time for purgeClientsLoop to receive on closeCh + require.False(t, rlq.getPurgeBlocked(), "expected blocked client purging to be disabled after explicit close") +@@ -66,14 +66,14 @@ func TestRateLimitQuota_Allow(t *testing.T) { + } + + require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink())) +- defer rlq.close() ++ defer rlq.close(context.Background()) + + var wg sync.WaitGroup + + reqFunc := func(addr string, atomicNumAllow, atomicNumFail *atomic.Int32) { + defer wg.Done() + +- resp, err := rlq.allow(&Request{ClientAddress: addr}) ++ resp, err := rlq.allow(context.Background(), &Request{ClientAddress: addr}) + if err != nil { + return + } +@@ -141,7 +141,7 @@ func TestRateLimitQuota_Allow_WithBlock(t *testing.T) { + } + + require.NoError(t, rlq.initialize(logging.NewVaultLogger(log.Trace), metricsutil.BlackholeSink())) +- defer rlq.close() ++ defer rlq.close(context.Background()) + require.True(t, rlq.getPurgeBlocked()) + + var wg sync.WaitGroup +@@ -149,7 +149,7 @@ func TestRateLimitQuota_Allow_WithBlock(t *testing.T) { + reqFunc := func(addr string, atomicNumAllow, atomicNumFail *atomic.Int32) { + defer wg.Done() + +- resp, err := rlq.allow(&Request{ClientAddress: addr}) ++ resp, err := rlq.allow(context.Background(), &Request{ClientAddress: addr}) + if err != nil { + return + } + +From d340179ec7f6af6673b1e66c68c37e5d0bf6648d Mon Sep 17 00:00:00 2001 +From: "Scott G. Miller" +Date: Wed, 1 Sep 2021 16:09:41 -0500 +Subject: [PATCH 5/5] missed one + +--- + vault/quotas/quotas_rate_limit_test.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vault/quotas/quotas_rate_limit_test.go b/vault/quotas/quotas_rate_limit_test.go +index 944b5a67868..21f35dac3cb 100644 +--- a/vault/quotas/quotas_rate_limit_test.go ++++ b/vault/quotas/quotas_rate_limit_test.go +@@ -221,5 +221,5 @@ func TestRateLimitQuota_Update(t *testing.T) { + require.NoError(t, qm.SetQuota(context.Background(), TypeRateLimit.String(), quota, true)) + require.NoError(t, qm.SetQuota(context.Background(), TypeRateLimit.String(), quota, true)) + +- require.Nil(t, quota.close()) ++ require.Nil(t, quota.close(context.Background())) + } diff --git a/srcpkgs/vault/template b/srcpkgs/vault/template index 60a3487700..9d946c7c39 100644 --- a/srcpkgs/vault/template +++ b/srcpkgs/vault/template @@ -1,11 +1,11 @@ # Template file for 'vault' pkgname=vault -version=1.8.1 -revision=2 +version=1.8.2 +revision=1 build_style=go go_import_path="github.com/hashicorp/vault" go_build_tags="release" -_git_commit=4b0264f28defc05454c31277cfa6ff63695a458d +_git_commit=aca76f63357041a43b49f3e8c11d67358496959f go_ldflags="-X ${go_import_path}/sdk/version.GitCommit=${_git_commit}" hostmakedepends="git" depends="libcap-progs" @@ -14,11 +14,10 @@ maintainer="Michael Aldridge " license="MPL-2.0" homepage="https://www.vaultproject.io/" distfiles="https://github.com/hashicorp/vault/archive/v${version}.tar.gz" -checksum=dbf389458fddeb5f8c567d00b6d17ce054f5b7667c226dbb598aa2c0f9048004 +checksum=ead7e85a64d31a8e69ca9932f1c53cdc46ed813d9532a8a7a7f0d187ea4f01f3 system_accounts="_vault" make_dirs="/var/lib/vault 0700 _vault _vault /etc/vault 0700 root root" -broken="FTBFS w/ Go 1.17 - hashicorp/vault#12456" case "$XBPS_TARGET_MACHINE" in arm*) go_ldflags="$go_ldflags -linkmode=external";;