github.com/hashicorp/vault/sdk@v0.11.0/helper/pluginutil/env.go

github.com/hashicorp/vault/sdk@v0.11.0/helper/pluginutil/env.go (about)

     1  // Copyright (c) HashiCorp, Inc.
     2  // SPDX-License-Identifier: MPL-2.0
     3  
     4  package pluginutil
     5  
     6  import (
     7  	"os"
     8  
     9  	"github.com/hashicorp/go-secure-stdlib/mlock"
    10  	version "github.com/hashicorp/go-version"
    11  )
    12  
    13  const (
    14  	// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
    15  	// setting a TLSProviderFunc for a plugin.
    16  	PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"
    17  
    18  	// PluginMlockEnabled is the ENV name used to pass the configuration for
    19  	// enabling mlock
    20  	PluginMlockEnabled = "VAULT_PLUGIN_MLOCK_ENABLED"
    21  
    22  	// PluginVaultVersionEnv is the ENV name used to pass the version of the
    23  	// vault server to the plugin
    24  	PluginVaultVersionEnv = "VAULT_VERSION"
    25  
    26  	// PluginMetadataModeEnv is an ENV name used to disable TLS communication
    27  	// to bootstrap mounting plugins.
    28  	PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
    29  
    30  	// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
    31  	// plugin.
    32  	PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
    33  
    34  	// PluginCACertPEMEnv is an ENV name used for holding a CA PEM-encoded
    35  	// string. Used for testing.
    36  	PluginCACertPEMEnv = "VAULT_TESTING_PLUGIN_CA_PEM"
    37  
    38  	// PluginMultiplexingOptOut is an ENV name used to define a comma separated list of plugin names
    39  	// opted-out of the multiplexing feature; for emergencies if multiplexing ever causes issues
    40  	PluginMultiplexingOptOut = "VAULT_PLUGIN_MULTIPLEXING_OPT_OUT"
    41  
    42  	// PluginUseLegacyEnvLayering opts out of new environment variable precedence.
    43  	// If set to true, Vault process environment variables take precedence over any
    44  	// colliding plugin-specific environment variables. Otherwise, plugin-specific
    45  	// environment variables take precedence over Vault process environment variables.
    46  	PluginUseLegacyEnvLayering = "VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING"
    47  )
    48  
    49  // OptionallyEnableMlock determines if mlock should be called, and if so enables
    50  // mlock.
    51  func OptionallyEnableMlock() error {
    52  	if os.Getenv(PluginMlockEnabled) == "true" {
    53  		return mlock.LockMemory()
    54  	}
    55  
    56  	return nil
    57  }
    58  
    59  // GRPCSupport defaults to returning true, unless VAULT_VERSION is missing or
    60  // it fails to meet the version constraint.
    61  func GRPCSupport() bool {
    62  	verString := os.Getenv(PluginVaultVersionEnv)
    63  	// If the env var is empty, we fall back to netrpc for backward compatibility.
    64  	if verString == "" {
    65  		return false
    66  	}
    67  	if verString != "unknown" {
    68  		ver, err := version.NewVersion(verString)
    69  		if err != nil {
    70  			return true
    71  		}
    72  		// Due to some regressions on 0.9.2 & 0.9.3 we now require version 0.9.4
    73  		// to allow the plugin framework to default to gRPC.
    74  		constraint, err := version.NewConstraint(">= 0.9.4")
    75  		if err != nil {
    76  			return true
    77  		}
    78  		return constraint.Check(ver)
    79  	}
    80  	return true
    81  }
    82  
    83  // InMetadataMode returns true if the plugin calling this function is running in metadata mode.
    84  func InMetadataMode() bool {
    85  	return os.Getenv(PluginMetadataModeEnv) == "true"
    86  }