fix: expiry date for main token, and documentation for rotating token

Author: ilijamt

README.md

@@ -38,13 +38,13 @@ The current authentication model requires providing Vault with a Gitlab Token.
 
 ### Config
 
-|         Property          | Required | Default value | Sensitive | Description                                                                                                                       |
-|:-------------------------:|:--------:|:-------------:|:---------:|:----------------------------------------------------------------------------------------------------------------------------------|
-|           token           |   yes    |      n/a      |    yes    | The token to access Gitlab API                                                                                                    |
-|         base_url          |   yes    |      n/a      |    no     | The address to access Gitlab                                                                                                      |
-|     auto_rotate_token     |    no    |      no       |    no     | Should we autorotate the token when it's close to expiry? (Experimental)                                                          |
-| revoke_auto_rotated_token |    no    |      no       |    no     | Should we revoke the auto-rotated token after a new one has been generated?                                                       |
-|    auto_rotate_before     |    no    |      24h      |    no     | How much time should be remaining on the token validity before we should rotate it? Minimum can be set to 24h and maximum to 730h |
+|         Property          | Required | Default value | Sensitive | Description                                                                                                                                   |
+|:-------------------------:|:--------:|:-------------:|:---------:|:----------------------------------------------------------------------------------------------------------------------------------------------|
+|           token           |   yes    |      n/a      |    yes    | The token to access Gitlab API, it will not show when you do a read, as it's a sensitive value. Instead it will display it's SHA1 hash value. |
+|         base_url          |   yes    |      n/a      |    no     | The address to access Gitlab                                                                                                                  |
+|     auto_rotate_token     |    no    |      no       |    no     | Should we autorotate the token when it's close to expiry? (Experimental)                                                                      |
+| revoke_auto_rotated_token |    no    |      no       |    no     | Should we revoke the auto-rotated token after a new one has been generated?                                                                   |
+|    auto_rotate_before     |    no    |      24h      |    no     | How much time should be remaining on the token validity before we should rotate it? Minimum can be set to 24h and maximum to 730h             |
 
 ### Role
 
@@ -120,20 +120,33 @@ If you use Vault to manage the tokens the minimal TTL you can use is `1h`, by se
 The command bellow will set up the config backend with a max TTL of 48h.
 
 ```shell
-$ vault write gitlab/config base_url=https://gitlab.example.com token=gitlab-super-secret-token
+$ vault write gitlab/config base_url=https://gitlab.example.com token=gitlab-super-secret-token auto_rotate_token=false revoke_auto_rotated_token=false auto_rotate_before=48h
+$ vault read gitlab/config
+Key                   Value
+---                   -----
+auto_rotate_before    48h0m0s
+auto_rotate_token     false
+base_url              https://gitlab.example.com
+token_id              107
+token_expires_at      2025-03-29T00:00:00Z
+token_sha1_hash       1014647cd9bbf359d926fcacdf78e184db9dbedc
 ```
 
 You may also need to configure the Max/Default TTL for a token that can be issued by setting:
 
-Max TTL: 1 year
-Default TTL: 1 week
+Max TTL: `1 year`
+Default TTL: `1 week`
 
 ```shell
 $ vault secrets tune -max-lease-ttl=8784h -default-lease-ttl=168h gitlab/
 ```
 
 Check https://developer.hashicorp.com/vault/docs/commands/secrets/tune for more information.
 
+There is a periodic func that runs that is responsible for autorotation and main token expiry time. 
+So in the beginning you may see  `token_expires_at n/a`. But when the function runs it will update itself 
+with the correct expiry date and the corresponding `token_id`.
+
 ### Roles
 
 This will create three roles, one of each type.
@@ -255,7 +268,15 @@ If the original token that has been supplied to the backend is not expired. We c
 to force a rotation of the main token. This would create a new token with the same expiration as the original token.
 
 ```shell
-vault put gitlab/config/rotate
+$ vault read gitlab/config/rotate
+Key                   Value
+---                   -----
+auto_rotate_before    48h0m0s
+auto_rotate_token     false
+base_url              https://gitlab.example.com
+token_expires_at      2025-03-29T00:00:00Z
+token_id              110
+token_sha1_hash       b8ff3f9e560f29d15f756fc92a3b1d6602aaae55
 ```
 
 ## TODO

backend.go

@@ -2,8 +2,10 @@ package gitlab
 
 import (
 	"context"
+	"errors"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
@@ -101,37 +103,83 @@ func (b *Backend) periodicFunc(ctx context.Context, request *logical.Request) er
 		return nil
 	}
 
-	if !config.AutoRotateToken {
-		return nil
+	// if there is no expiry date on the token fetch it
+	if config.TokenExpiresAt.IsZero() {
+		err = errors.Join(err, b.updateMainTokenExpiryTime(ctx, request, config))
+	}
+
+	// If we need to autorotate the token, initiate the procedure to autorotate the token
+	if config.AutoRotateToken {
+		err = errors.Join(err, b.checkAndRotateConfigToken(ctx, request, config))
+	}
+
+	return err
+}
+
+func (b *Backend) updateMainTokenExpiryTime(ctx context.Context, request *logical.Request, config *EntryConfig) error {
+	b.Logger().Debug("Running updateMainTokenExpiryTime")
+	var client Client
+	var err error
+
+	if client, err = b.getClient(ctx, request.Storage); err != nil {
+		return err
 	}
 
-	return b.checkAndRotateConfigToken(ctx, request, config)
+	if config.TokenExpiresAt.IsZero() {
+		b.Logger().Warn("Main token expiry information is empty, updating")
+		var entryToken *EntryToken
+		// we need to fetch the token expiration information
+		entryToken, err = client.CurrentTokenInfo()
+		if err != nil {
+			return err
+		}
+		// and update the information so we can do the checks
+		config.TokenExpiresAt = *entryToken.ExpiresAt
+		config.TokenId = entryToken.TokenID
+		err = func() error {
+			b.lockClientMutex.Lock()
+			defer b.lockClientMutex.Unlock()
+			return saveConfig(ctx, *config, request.Storage)
+		}()
+		if err != nil {
+			return err
+		}
+		b.Logger().Info("Main token expiry information updated", "token_id", entryToken.TokenID, "token_expires_at", entryToken.ExpiresAt.Format(time.RFC3339))
+	}
+	return err
 }
 
 // Invalidate invalidates the key if required
 func (b *Backend) Invalidate(ctx context.Context, key string) {
 	b.Logger().Debug("Backend invalidate", "key", key)
 	if key == PathConfigStorage {
-		b.Logger().Warn("gitlab config changed, reinitializing the gitlab client")
+		b.Logger().Warn("Gitlab config changed, reinitializing the gitlab client")
 		b.lockClientMutex.Lock()
 		defer b.lockClientMutex.Unlock()
 		b.client = nil
 	}
 }
 
 func (b *Backend) SetClient(client Client) {
+	if client == nil {
+		b.Logger().Debug("Setting a nil client")
+		return
+	}
+	b.Logger().Debug("Setting a new client")
 	b.client = client
 }
 
 func (b *Backend) getClient(ctx context.Context, s logical.Storage) (Client, error) {
 	if b.client != nil && b.client.Valid() {
+		b.Logger().Debug("Returning existing gitlab client")
 		return b.client, nil
 	}
 
 	b.lockClientMutex.RLock()
 	defer b.lockClientMutex.RUnlock()
 	config, err := getConfig(ctx, s)
 	if err != nil {
+		b.Logger().Error("Failed to retrieve configuration", "error", err.Error())
 		return nil, err
 	}
 

entry_config.go

@@ -2,12 +2,15 @@ package gitlab
 
 import (
 	"context"
+	"crypto/sha1"
+	"fmt"
 	"time"
 
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
 type EntryConfig struct {
+	TokenId                int           `json:"token_id" yaml:"token_id" mapstructure:"token_id"`
 	BaseURL                string        `json:"base_url" structs:"base_url" mapstructure:"base_url"`
 	Token                  string        `json:"token" structs:"token" mapstructure:"token"`
 	AutoRotateToken        bool          `json:"auto_rotate_token" structs:"auto_rotate_token" mapstructure:"auto_rotate_token"`
@@ -24,10 +27,11 @@ func (e EntryConfig) LogicalResponseData() map[string]any {
 
 	return map[string]any{
 		"base_url":           e.BaseURL,
-		"token":              e.Token,
 		"auto_rotate_token":  e.AutoRotateToken,
 		"auto_rotate_before": e.AutoRotateBefore.String(),
+		"token_id":           e.TokenId,
 		"token_expires_at":   tokenExpiresAt,
+		"token_sha1_hash":    fmt.Sprintf("%x", sha1.Sum([]byte(e.Token))),
 	}
 }
 

gitlab_client.go

@@ -232,8 +232,16 @@ func NewGitlabClient(config *EntryConfig, httpClient *http.Client) (client Clien
 		return nil, fmt.Errorf("configure the backend first, config: %w", ErrNilValue)
 	}
 
-	if "" == strings.TrimSpace(config.BaseURL) || "" == strings.TrimSpace(config.Token) {
-		return nil, fmt.Errorf("base url or token is empty: %w", ErrInvalidValue)
+	if "" == strings.TrimSpace(config.BaseURL) {
+		err = errors.Join(err, fmt.Errorf("gitlab base url: %w", ErrInvalidValue))
+	}
+
+	if "" == strings.TrimSpace(config.Token) {
+		err = errors.Join(err, fmt.Errorf("gitlab token: %w", ErrInvalidValue))
+	}
+
+	if err != nil {
+		return nil, err
 	}
 
 	var opts = []g.ClientOptionFunc{

path_config.go

@@ -140,7 +140,6 @@ func (b *Backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
 
 	b.lockClientMutex.Lock()
 	defer b.lockClientMutex.Unlock()
-
 	err = saveConfig(ctx, config, req.Storage)
 	if err != nil {
 		return nil, err
@@ -155,7 +154,7 @@ func (b *Backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
 	})
 
 	b.SetClient(nil)
-	b.Logger().Debug("Wrote new config", "base_url", config.BaseURL)
+	b.Logger().Debug("Wrote new config", "base_url", config.BaseURL, "auto_rotate_token", config.AutoRotateToken, "revoke_auto_rotated_token", config.RevokeAutoRotatedToken, "auto_rotate_before", config.AutoRotateBefore)
 	return &logical.Response{
 		Data:     config.LogicalResponseData(),
 		Warnings: warnings,

path_config_rotate.go

@@ -31,32 +31,13 @@ func pathConfigTokenRotate(b *Backend) *framework.Path {
 }
 
 func (b *Backend) checkAndRotateConfigToken(ctx context.Context, request *logical.Request, config *EntryConfig) error {
-	var client Client
 	var err error
+	b.Logger().Debug("Running checkAndRotateConfigToken")
 
-	if client, err = b.getClient(ctx, request.Storage); err != nil {
+	if err = b.updateMainTokenExpiryTime(ctx, request, config); err != nil {
 		return err
 	}
 
-	if config.TokenExpiresAt.IsZero() {
-		var entryToken *EntryToken
-		// we need to fetch the token expiration information
-		entryToken, err = client.CurrentTokenInfo()
-		if err != nil {
-			return err
-		}
-		// and update the information so we can do the checks
-		config.TokenExpiresAt = *entryToken.ExpiresAt
-		err = func() error {
-			b.lockClientMutex.Lock()
-			defer b.lockClientMutex.Unlock()
-			return saveConfig(ctx, *config, request.Storage)
-		}()
-		if err != nil {
-			return err
-		}
-	}
-
 	if time.Until(config.TokenExpiresAt) > config.AutoRotateBefore {
 		b.Logger().Debug("Nothing to do it's not yet time to rotate the token")
 		return nil
@@ -67,13 +48,15 @@ func (b *Backend) checkAndRotateConfigToken(ctx context.Context, request *logica
 }
 
 func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	b.Logger().Debug("Running pathConfigTokenRotate")
 	var config *EntryConfig
 	var client Client
 	var err error
 
 	b.lockClientMutex.RLock()
 	if config, err = getConfig(ctx, request.Storage); err != nil {
 		b.lockClientMutex.RUnlock()
+		b.Logger().Error("Failed to fetch configuration", "error", err.Error())
 		return nil, err
 	}
 	b.lockClientMutex.RUnlock()
@@ -90,14 +73,15 @@ func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Re
 	var entryToken, oldToken *EntryToken
 	entryToken, oldToken, err = client.RotateCurrentToken(config.RevokeAutoRotatedToken)
 	if err != nil {
-		b.Logger().Error("failed to rotate main token", "err", err)
+		b.Logger().Error("Failed to rotate main token", "err", err)
 		return nil, err
 	}
 
 	config.Token = entryToken.Token
 	if entryToken.ExpiresAt != nil {
 		config.TokenExpiresAt = *entryToken.ExpiresAt
 	}
+	config.TokenId = entryToken.TokenID
 	b.lockClientMutex.Lock()
 	defer b.lockClientMutex.Unlock()
 	err = saveConfig(ctx, *config, request.Storage)

path_config_rotate_test.go

@@ -6,8 +6,9 @@ import (
 	"testing"
 
 	"github.com/hashicorp/vault/sdk/logical"
-	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
 	"github.com/stretchr/testify/require"
+
+	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
 )
 
 func TestPathConfigRotate(t *testing.T) {

path_config_test.go

@@ -65,7 +65,7 @@ func TestPathConfig(t *testing.T) {
 		require.NoError(t, err)
 		require.NotNil(t, resp)
 		require.NoError(t, resp.Error())
-		assert.EqualValues(t, "token", resp.Data["token"])
+		assert.NotEmpty(t, resp.Data["token_sha1_hash"])
 		assert.NotEmpty(t, resp.Data["base_url"])
 		require.Len(t, events.eventsProcessed, 1)
 

path_config_token_autorotate_test.go

@@ -141,6 +141,7 @@ func TestPathConfig_AutoRotateToken(t *testing.T) {
 		b, l, err := getBackendWithConfig(map[string]any{"token": "token"})
 		require.NoError(t, err)
 
+		b.SetClient(newInMemoryClient(true))
 		err = b.PeriodicFunc(context.Background(), &logical.Request{Storage: l})
 		require.NoError(t, err)
 	})
@@ -176,7 +177,7 @@ func TestPathConfig_AutoRotateToken(t *testing.T) {
 		require.NotNil(t, resp)
 		require.NoError(t, resp.Error())
 		require.NotEmpty(t, resp.Data)
-		require.EqualValues(t, "new token", resp.Data["token"])
+		require.NotEmpty(t, resp.Data["token_sha1_hash"])
 		require.NotEmpty(t, resp.Data["token_expires_at"])
 
 		events.expectEvents(t, []expectedEvent{