Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 255648b

Browse files
AndersAstrandAndersAstrand
committed
Set vault token header in every request
The previous code set the vault token header globally on the first request to vault and never changed it. This meant that databases could not use separate tokens or that the token could ever be rotated without a server restart.
1 parent e7e63e3 commit 255648b

File tree

1 file changed

+26
-31
lines changed

1 file changed

+26
-31
lines changed

contrib/pg_tde/src/keyring/keyring_vault.c

+26-31
Original file line numberDiff line numberDiff line change
@@ -62,9 +62,6 @@ static JsonParseErrorType json_resp_scalar(void *state, char *token, JsonTokenTy
6262
static JsonParseErrorType json_resp_object_field_start(void *state, char *fname, bool isnull);
6363
static JsonParseErrorType parse_json_response(JsonVaultRespState *parse, JsonLexContext *lex);
6464

65-
static struct curl_slist *curlList = NULL;
66-
67-
static bool curl_setup_token(VaultV2Keyring *keyring);
6865
static char *get_keyring_vault_url(VaultV2Keyring *keyring, const char *key_name, char *out, size_t out_size);
6966
static bool curl_perform(VaultV2Keyring *keyring, const char *url, CurlString *outStr, long *httpCode, const char *postData);
7067

@@ -84,35 +81,13 @@ InstallVaultV2Keyring(void)
8481
RegisterKeyProviderType(&keyringVaultV2Routine, VAULT_V2_KEY_PROVIDER);
8582
}
8683

87-
static bool
88-
curl_setup_token(VaultV2Keyring *keyring)
89-
{
90-
if (curlList == NULL)
91-
{
92-
char tokenHeader[256];
93-
94-
strcpy(tokenHeader, "X-Vault-Token:");
95-
strcat(tokenHeader, keyring->vault_token);
96-
97-
curlList = curl_slist_append(curlList, tokenHeader);
98-
if (curlList == NULL)
99-
return 0;
100-
101-
curlList = curl_slist_append(curlList, "Content-Type: application/json");
102-
if (curlList == NULL)
103-
return 0;
104-
}
105-
106-
if (curl_easy_setopt(keyringCurl, CURLOPT_HTTPHEADER, curlList) != CURLE_OK)
107-
return 0;
108-
109-
return 1;
110-
}
111-
11284
static bool
11385
curl_perform(VaultV2Keyring *keyring, const char *url, CurlString *outStr, long *httpCode, const char *postData)
11486
{
11587
CURLcode ret;
88+
struct curl_slist *curlList = NULL;
89+
char tokenHeader[256];
90+
11691
#if KEYRING_DEBUG
11792
elog(DEBUG1, "Performing Vault HTTP [%s] request to '%s'", postData != NULL ? "POST" : "GET", url);
11893
if (postData != NULL)
@@ -126,29 +101,49 @@ curl_perform(VaultV2Keyring *keyring, const char *url, CurlString *outStr, long
126101
if (!curlSetupSession(url, keyring->vault_ca_path, outStr))
127102
return 0;
128103

129-
if (!curl_setup_token(keyring))
130-
return 0;
131-
132104
if (postData != NULL)
133105
{
134106
if (curl_easy_setopt(keyringCurl, CURLOPT_POSTFIELDS, postData) != CURLE_OK)
135107
return 0;
136108
}
137109

110+
pg_snprintf(tokenHeader, sizeof(tokenHeader),
111+
"X-Vault-Token: %s", keyring->vault_token);
112+
curlList = curl_slist_append(curlList, tokenHeader);
113+
if (curlList == NULL)
114+
return 0;
115+
116+
if (!curl_slist_append(curlList, "Content-Type: application/json"))
117+
{
118+
curl_slist_free_all(curlList);
119+
return 0;
120+
}
121+
122+
if (curl_easy_setopt(keyringCurl, CURLOPT_HTTPHEADER, curlList) != CURLE_OK)
123+
{
124+
curl_slist_free_all(curlList);
125+
return 0;
126+
}
127+
138128
ret = curl_easy_perform(keyringCurl);
139129
if (ret != CURLE_OK)
140130
{
141131
elog(LOG, "curl_easy_perform failed with return code: %d", ret);
132+
curl_slist_free_all(curlList);
142133
return 0;
143134
}
144135

145136
if (curl_easy_getinfo(keyringCurl, CURLINFO_RESPONSE_CODE, httpCode) != CURLE_OK)
137+
{
138+
curl_slist_free_all(curlList);
146139
return 0;
140+
}
147141

148142
#if KEYRING_DEBUG
149143
elog(DEBUG2, "Vault response [%li] '%s'", *httpCode, outStr->ptr != NULL ? outStr->ptr : "");
150144
#endif
151145

146+
curl_slist_free_all(curlList);
152147
return 1;
153148
}
154149

0 commit comments

Comments
 (0)