feat: allow the flags to be configurable during runtime

Author: ilijamt

README.md

@@ -72,6 +72,9 @@ you may or may not be able to access certain paths.
     ^config?/?$
         Lists existing configs
 
+    ^flags$
+        Flags for the plugins.
+
     ^roles/(?P<role_name>\w(([\w-.]+)?\w)?)$
         Create a role with parameters that are used to generate a various access tokens.
 
@@ -86,9 +89,10 @@ you may or may not be able to access certain paths.
 There are some flags we can specify to enable/disable some functionality in the vault plugin.
 
 
-|       Flag        | Default value | Description                                                                            |
-|:-----------------:|:-------------:|:---------------------------------------------------------------------------------------|
-| show-config-token |     false     | Display the token value when reading a config on it's endpoint like `/config/default`. |
+|            Flag            | Default value | Description                                                                            |
+|:--------------------------:|:-------------:|:---------------------------------------------------------------------------------------|
+|     show-config-token      |     false     | Display the token value when reading a config on it's endpoint like `/config/default`. |
+| allow-runtime-flags-change |     false     | Allows you to change the flags at runtime                                              |
 
 ## Security Model
 

backend.go

@@ -62,6 +62,7 @@ func factory(ctx context.Context, conf *logical.BackendConfig, flags Flags) (log
 
 		Paths: framework.PathAppend(
 			[]*framework.Path{
+				pathFlags(b),
 				pathConfig(b),
 				pathListConfig(b),
 				pathConfigTokenRotate(b),
@@ -90,6 +91,10 @@ type Backend struct {
 	// would invalidate the gitlab client, so it will need to be reinitialized
 	lockClientMutex sync.RWMutex
 
+	// Mutex to protect flags change, this is required as it could require reinitialization of some components
+	// of the plugin
+	lockFlagsMutex sync.RWMutex
+
 	// roleLocks to protect access for roles, during modifications, deletion
 	roleLocks []*locksutil.LockEntry
 }

flags.go

@@ -1,13 +1,17 @@
 package gitlab
 
-import "flag"
+import (
+	"flag"
+)
 
 type Flags struct {
-	ShowConfigToken bool
+	ShowConfigToken         bool `json:"show_config_token" mapstructure:"show_config_token"`
+	AllowRuntimeFlagsChange bool `json:"allow_runtime_flags_change" mapstructure:"allow_runtime_flags_change"`
 }
 
 // FlagSet returns the flag set for configuring the TLS connection
 func (f *Flags) FlagSet(fs *flag.FlagSet) *flag.FlagSet {
-	fs.BoolVar(&f.ShowConfigToken, "show-config-token", false, "")
+	fs.BoolVar(&f.ShowConfigToken, "show-config-token", false, "Display the token value when reading it's config the configuration endpoint.")
+	fs.BoolVar(&f.AllowRuntimeFlagsChange, "allow-runtime-flags-change", false, "Allows you to change the flags dynamically at runtime.")
 	return fs
 }

flags_test.go

@@ -16,6 +16,8 @@ func TestFlags_FlagSet(t *testing.T) {
 	flags.FlagSet(fs)
 
 	assert.False(t, flags.ShowConfigToken)
-	assert.NoError(t, fs.Parse([]string{"-show-config-token"}))
+	assert.False(t, flags.AllowRuntimeFlagsChange)
+	assert.NoError(t, fs.Parse([]string{"-show-config-token", "-allow-runtime-flags-change"}))
 	assert.True(t, flags.ShowConfigToken)
+	assert.True(t, flags.AllowRuntimeFlagsChange)
 }

path_flags.go

@@ -0,0 +1,106 @@
+package gitlab
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/mitchellh/mapstructure"
+)
+
+const (
+	PathConfigFlags = "flags"
+)
+
+var FieldSchemaFlags = map[string]*framework.FieldSchema{
+	"show_config_token": {
+		Type:         framework.TypeBool,
+		Description:  "Should we display the token value for the roles?",
+		Default:      false,
+		DisplayAttrs: &framework.DisplayAttributes{Name: "Show Config Token"},
+	},
+}
+
+func (b *Backend) pathFlagsRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (lResp *logical.Response, err error) {
+	b.lockFlagsMutex.RLock()
+	defer b.lockFlagsMutex.RUnlock()
+	var flagData map[string]any
+	err = mapstructure.Decode(b.flags, &flagData)
+	return &logical.Response{Data: flagData}, err
+}
+
+func (b *Backend) pathFlagsUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (lResp *logical.Response, err error) {
+	b.lockFlagsMutex.Lock()
+	defer b.lockFlagsMutex.Unlock()
+
+	var eventData = make(map[string]string)
+
+	if showConfigToken, ok := data.GetOk("show_config_token"); ok {
+		b.flags.ShowConfigToken = showConfigToken.(bool)
+		eventData["show_config_token"] = strconv.FormatBool(b.flags.ShowConfigToken)
+	}
+
+	event(ctx, b.Backend, "flags-write", eventData)
+
+	var flagData map[string]any
+	err = mapstructure.Decode(b.flags, &flagData)
+	return &logical.Response{Data: flagData}, err
+}
+
+func pathFlags(b *Backend) *framework.Path {
+	var operations = map[logical.Operation]framework.OperationHandler{
+		logical.ReadOperation: &framework.PathOperation{
+			Callback: b.pathFlagsRead,
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "read",
+				OperationSuffix: "flags",
+			},
+			Summary: "Read the flags for the plugin.",
+			Responses: map[int][]framework.Response{
+				http.StatusOK: {{
+					Description: http.StatusText(http.StatusOK),
+					Fields:      FieldSchemaFlags,
+				}},
+			},
+		},
+	}
+
+	if b.flags.AllowRuntimeFlagsChange {
+		operations[logical.UpdateOperation] = &framework.PathOperation{
+			Callback: b.pathFlagsUpdate,
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationVerb:   "update",
+				OperationSuffix: "flags",
+			},
+			Summary: "Update the flags for the plugin.",
+			Responses: map[int][]framework.Response{
+				http.StatusOK: {{
+					Description: http.StatusText(http.StatusOK),
+					Fields:      FieldSchemaFlags,
+				}},
+				http.StatusBadRequest: {{
+					Description: http.StatusText(http.StatusBadRequest),
+					Fields:      FieldSchemaFlags,
+				}},
+			},
+		}
+	}
+
+	return &framework.Path{
+		HelpSynopsis:    strings.TrimSpace(pathFlagsHelpSynopsis),
+		HelpDescription: strings.TrimSpace(pathFlagsHelpDescription),
+		Pattern:         PathConfigFlags,
+		Fields:          FieldSchemaFlags,
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixGitlabAccessTokens,
+		},
+		Operations: operations,
+	}
+}
+
+const pathFlagsHelpSynopsis = `Flags for the plugin.`
+
+const pathFlagsHelpDescription = ``

path_flags_test.go

@@ -0,0 +1,46 @@
+//go:build unit
+
+package gitlab_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
+
+	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
+)
+
+func TestPathFlags(t *testing.T) {
+	var ctx = context.Background()
+	b, l, events, err := getBackendWithFlagsWithEvents(ctx, gitlab.Flags{AllowRuntimeFlagsChange: true})
+	require.NoError(t, err)
+
+	resp, err := b.HandleRequest(ctx, &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      gitlab.PathConfigFlags, Storage: l,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NoError(t, resp.Error())
+	require.False(t, resp.Data["show_config_token"].(bool))
+
+	resp, err = b.HandleRequest(ctx, &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      gitlab.PathConfigFlags, Storage: l,
+		Data: map[string]interface{}{
+			"show_config_token": "true",
+		},
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NoError(t, resp.Error())
+	require.True(t, resp.Data["show_config_token"].(bool))
+
+	events.expectEvents(t, []expectedEvent{
+		{eventType: "gitlab/flags-write"},
+	})
+}