Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377)

This reverts commit 39bcd5c.

Author: fairclothjm

api/plugin_helpers.go

@@ -17,10 +17,6 @@ import (
 )
 
 var (
-	// PluginAutoMTLSEnv ensures AutoMTLS is used. This overrides setting a
-	// TLSProviderFunc for a plugin.
-	PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS"
-
 	// PluginMetadataModeEnv is an ENV name used to disable TLS communication
 	// to bootstrap mounting plugins.
 	PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
@@ -124,7 +120,7 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
 // VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
 // wrapped TLS certificate from vault. It returns a configured TLS Config.
 func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
-	if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
+	if os.Getenv(PluginMetadataModeEnv) == "true" {
 		return nil
 	}
 

builtin/plugin/backend.go

@@ -9,7 +9,6 @@ import (
 
 	log "github.com/hashicorp/go-hclog"
 
-	"github.com/hashicorp/go-multierror"
 	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -52,32 +51,17 @@ func Backend(ctx context.Context, conf *logical.BackendConfig) (*PluginBackend,
 
 	sys := conf.System
 
-	merr := &multierror.Error{}
-	// NewBackend with isMetadataMode set to false
-	raw, err := bplugin.NewBackend(ctx, name, pluginType, sys, conf, false, true)
+	// NewBackend with isMetadataMode set to true
+	raw, err := bplugin.NewBackend(ctx, name, pluginType, sys, conf, true)
 	if err != nil {
-		merr = multierror.Append(merr, err)
-		// NewBackend with isMetadataMode set to true
-		raw, err = bplugin.NewBackend(ctx, name, pluginType, sys, conf, true, false)
-		if err != nil {
-			merr = multierror.Append(merr, err)
-			return nil, merr
-		}
-	} else {
-		b.Backend = raw
-		b.config = conf
-		b.loaded = true
-		b.autoMTLSSupported = true
-
-		return &b, nil
+		return nil, err
 	}
-
-	// Setup the backend so we can inspect the SpecialPaths and Type
 	err = raw.Setup(ctx, conf)
 	if err != nil {
 		raw.Cleanup(ctx)
 		return nil, err
 	}
+	// Get SpecialPaths and BackendType
 	paths := raw.SpecialPaths()
 	btype := raw.Type()
 
@@ -101,8 +85,7 @@ type PluginBackend struct {
 	Backend logical.Backend
 	sync.RWMutex
 
-	autoMTLSSupported bool
-	config            *logical.BackendConfig
+	config *logical.BackendConfig
 
 	// Used to detect if we already reloaded
 	canary string
@@ -122,7 +105,7 @@ func (b *PluginBackend) startBackend(ctx context.Context, storage logical.Storag
 	// Ensure proper cleanup of the backend (i.e. call client.Kill())
 	b.Backend.Cleanup(ctx)
 
-	nb, err := bplugin.NewBackend(ctx, pluginName, pluginType, b.config.System, b.config, false, b.autoMTLSSupported)
+	nb, err := bplugin.NewBackend(ctx, pluginName, pluginType, b.config.System, b.config, false)
 	if err != nil {
 		return err
 	}

builtin/plugin/backend_lazyLoad_test.go

@@ -59,7 +59,7 @@ func testLazyLoad(t *testing.T, methodWrapper func() error) *PluginBackend {
 	}
 
 	// this is a dummy plugin that hasn't really been loaded yet
-	orig, err := plugin.NewBackend(ctx, "test-plugin", consts.PluginTypeSecrets, sysView, config, true, false)
+	orig, err := plugin.NewBackend(ctx, "test-plugin", consts.PluginTypeSecrets, sysView, config, true)
 	if err != nil {
 		t.Fatal(err)
 	}

changelog/15671.txt

@@ -8,10 +8,6 @@ import (
 )
 
 var (
-	// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
-	// setting a TLSProviderFunc for a plugin.
-	PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS"
-
 	// PluginMlockEnabled is the ENV name used to pass the configuration for
 	// enabling mlock
 	PluginMlockEnabled = "VAULT_PLUGIN_MLOCK_ENABLED"

sdk/helper/pluginutil/env.go

@@ -9,8 +9,6 @@ import (
 	status "google.golang.org/grpc/status"
 )
 
-const MultiplexingCtxKey string = "multiplex_id"
-
 type PluginMultiplexingServerImpl struct {
 	UnimplementedPluginMultiplexingServer
 

sdk/helper/pluginutil/multiplexing.go

@@ -22,7 +22,6 @@ type PluginClientConfig struct {
 	IsMetadataMode  bool
 	AutoMTLS        bool
 	MLock           bool
-	Wrapper         RunnerUtil
 }
 
 type runConfig struct {
@@ -34,6 +33,8 @@ type runConfig struct {
 	// Initialized with what's in PluginRunner.Env, but can be added to
 	env []string
 
+	wrapper RunnerUtil
+
 	PluginClientConfig
 }
 
@@ -42,7 +43,7 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 	cmd.Env = append(cmd.Env, rc.env...)
 
 	// Add the mlock setting to the ENV of the plugin
-	if rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled()) {
+	if rc.MLock || (rc.wrapper != nil && rc.wrapper.MlockEnabled()) {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
 	}
 	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version))
@@ -53,9 +54,6 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 	metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.IsMetadataMode)
 	cmd.Env = append(cmd.Env, metadataEnv)
 
-	automtlsEnv := fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, rc.AutoMTLS)
-	cmd.Env = append(cmd.Env, automtlsEnv)
-
 	var clientTLSConfig *tls.Config
 	if !rc.AutoMTLS && !rc.IsMetadataMode {
 		// Get a CA TLS Certificate
@@ -72,7 +70,7 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 
 		// Use CA to sign a server cert and wrap the values in a response wrapped
 		// token.
-		wrapToken, err := wrapServerConfig(ctx, rc.Wrapper, certBytes, key)
+		wrapToken, err := wrapServerConfig(ctx, rc.wrapper, certBytes, key)
 		if err != nil {
 			return nil, err
 		}
@@ -122,7 +120,7 @@ func Env(env ...string) RunOpt {
 
 func Runner(wrapper RunnerUtil) RunOpt {
 	return func(rc *runConfig) {
-		rc.Wrapper = wrapper
+		rc.wrapper = wrapper
 	}
 }
 

sdk/helper/pluginutil/run_config.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os/exec"
+	"reflect"
 	"testing"
 	"time"
 
@@ -13,7 +14,6 @@ import (
 	"github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/sdk/helper/wrapping"
 	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
 )
 
 func TestMakeConfig(t *testing.T) {
@@ -78,7 +78,6 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
-						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -144,7 +143,6 @@ func TestMakeConfig(t *testing.T) {
 						fmt.Sprintf("%s=%t", PluginMlockEnabled, true),
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
-						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
 						fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, "testtoken"),
 					},
 				),
@@ -207,7 +205,6 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
-						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -269,7 +266,6 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
-						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -294,7 +290,7 @@ func TestMakeConfig(t *testing.T) {
 				Return(test.responseWrapInfo, test.responseWrapInfoErr)
 			mockWrapper.On("MlockEnabled").
 				Return(test.mlockEnabled)
-			test.rc.Wrapper = mockWrapper
+			test.rc.wrapper = mockWrapper
 			defer mockWrapper.AssertNumberOfCalls(t, "ResponseWrapData", test.responseWrapInfoTimes)
 			defer mockWrapper.AssertNumberOfCalls(t, "MlockEnabled", test.mlockEnabledTimes)
 
@@ -322,7 +318,9 @@ func TestMakeConfig(t *testing.T) {
 			}
 			config.TLSConfig = nil
 
-			require.Equal(t, config, test.expectedConfig)
+			if !reflect.DeepEqual(config, test.expectedConfig) {
+				t.Fatalf("Actual config: %#v\nExpected config: %#v", config, test.expectedConfig)
+			}
 		})
 	}
 }

sdk/helper/pluginutil/run_config_test.go

@@ -38,6 +38,8 @@ type PluginClient interface {
 	plugin.ClientProtocol
 }
 
+const MultiplexingCtxKey string = "multiplex_id"
+
 // PluginRunner defines the metadata needed to run a plugin securely with
 // go-plugin.
 type PluginRunner struct {

sdk/helper/pluginutil/runner.go

@@ -20,10 +20,9 @@ var (
 // GRPCBackendPlugin is the plugin.Plugin implementation that only supports GRPC
 // transport
 type GRPCBackendPlugin struct {
-	Factory           logical.Factory
-	MetadataMode      bool
-	AutoMTLSSupported bool
-	Logger            log.Logger
+	Factory      logical.Factory
+	MetadataMode bool
+	Logger       log.Logger
 
 	// Embeding this will disable the netRPC protocol
 	plugin.NetRPCUnsupportedPlugin
@@ -42,13 +41,12 @@ func (b GRPCBackendPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server)
 
 func (b *GRPCBackendPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
 	ret := &backendGRPCPluginClient{
-		client:     pb.NewBackendClient(c),
-		clientConn: c,
-		broker:     broker,
-		cleanupCh:  make(chan struct{}),
-		doneCtx:    ctx,
-		// Only run in metadata mode if mode is true and autoMTLS is not supported
-		metadataMode: b.MetadataMode && !b.AutoMTLSSupported,
+		client:       pb.NewBackendClient(c),
+		clientConn:   c,
+		broker:       broker,
+		cleanupCh:    make(chan struct{}),
+		doneCtx:      ctx,
+		metadataMode: b.MetadataMode,
 	}
 
 	// Create the value and set the type

sdk/plugin/backend.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 
 	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
@@ -34,7 +35,7 @@ func (b *BackendPluginClient) Cleanup(ctx context.Context) {
 // external plugins, or a concrete implementation of the backend if it is a builtin backend.
 // The backend is returned as a logical.Backend interface. The isMetadataMode param determines whether
 // the plugin should run in metadata mode.
-func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool, autoMTLS bool) (logical.Backend, error) {
+func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool) (logical.Backend, error) {
 	// Look for plugin in the plugin catalog
 	pluginRunner, err := sys.LookupPlugin(ctx, pluginName, pluginType)
 	if err != nil {
@@ -58,16 +59,8 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
 			}
 		}
 	} else {
-		config := pluginutil.PluginClientConfig{
-			Name:           pluginName,
-			PluginType:     pluginType,
-			Logger:         conf.Logger.Named(pluginName),
-			IsMetadataMode: isMetadataMode,
-			AutoMTLS:       autoMTLS,
-			Wrapper:        sys,
-		}
 		// create a backendPluginClient instance
-		backend, err = NewPluginClient(ctx, pluginRunner, config)
+		backend, err = NewPluginClient(ctx, sys, pluginRunner, conf.Logger, isMetadataMode)
 		if err != nil {
 			return nil, err
 		}
@@ -76,49 +69,34 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
 	return backend, nil
 }
 
-// pluginSet returns the go-plugin PluginSet that we can dispense. This ensures
-// that plugins that don't support AutoMTLS are run on the appropriate version.
-func pluginSet(autoMTLS, metadataMode bool) map[int]plugin.PluginSet {
-	if autoMTLS {
-		return map[int]plugin.PluginSet{
-			5: {
-				"backend": &GRPCBackendPlugin{
-					MetadataMode:      false,
-					AutoMTLSSupported: true,
-				},
-			},
-		}
-	}
-	return map[int]plugin.PluginSet{
+func NewPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunner *pluginutil.PluginRunner, logger log.Logger, isMetadataMode bool) (logical.Backend, error) {
+	// pluginMap is the map of plugins we can dispense.
+	pluginSet := map[int]plugin.PluginSet{
 		// Version 3 used to supports both protocols. We want to keep it around
 		// since it's possible old plugins built against this version will still
 		// work with gRPC. There is currently no difference between version 3
 		// and version 4.
 		3: {
 			"backend": &GRPCBackendPlugin{
-				MetadataMode: metadataMode,
+				MetadataMode: isMetadataMode,
 			},
 		},
 		4: {
 			"backend": &GRPCBackendPlugin{
-				MetadataMode: metadataMode,
+				MetadataMode: isMetadataMode,
 			},
 		},
 	}
-}
 
-func NewPluginClient(ctx context.Context, pluginRunner *pluginutil.PluginRunner, config pluginutil.PluginClientConfig) (logical.Backend, error) {
-	ps := pluginSet(config.AutoMTLS, config.IsMetadataMode)
-
-	client, err := pluginRunner.RunConfig(ctx,
-		pluginutil.Runner(config.Wrapper),
-		pluginutil.PluginSets(ps),
-		pluginutil.HandshakeConfig(handshakeConfig),
-		pluginutil.Env(),
-		pluginutil.Logger(config.Logger),
-		pluginutil.MetadataMode(config.IsMetadataMode),
-		pluginutil.AutoMTLS(config.AutoMTLS),
-	)
+	namedLogger := logger.Named(pluginRunner.Name)
+
+	var client *plugin.Client
+	var err error
+	if isMetadataMode {
+		client, err = pluginRunner.RunMetadataMode(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
+	} else {
+		client, err = pluginRunner.Run(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -148,9 +126,9 @@ func NewPluginClient(ctx context.Context, pluginRunner *pluginutil.PluginRunner,
 	}
 
 	// Wrap the backend in a tracing middleware
-	if config.Logger.IsTrace() {
+	if namedLogger.IsTrace() {
 		backend = &backendTracingMiddleware{
-			logger: config.Logger.With("transport", transport),
+			logger: namedLogger.With("transport", transport),
 			next:   backend,
 		}
 	}