Omit wrapping tokens and control groups from client counts (#11826)

* Omit wrapping tokens and control groups from client counts * add changelog note
hashicorp · Jun 10, 2021 · e1730a1 · e1730a1
1 parent 45c8169
commit e1730a1
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 6 deletions.
diff --git a/changelog/11826.txt b/changelog/11826.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+activity: Omit wrapping tokens and control groups from client counts
+```
diff --git a/vault/activity_log.go b/vault/activity_log.go
@@ -1504,7 +1504,9 @@ func (a *ActivityLog) HandleTokenCreation(entry *logical.TokenEntry) {
 	if entry.EntityID != "" {
 		a.AddEntityToFragment(entry.EntityID, entry.NamespaceID, entry.CreationTime)
 	} else {
-		a.AddTokenToFragment(entry.NamespaceID)
+		if !IsWrappingToken(entry) {
+			a.AddTokenToFragment(entry.NamespaceID)
+		}
 	}
 }
 

diff --git a/vault/activity_log_test.go b/vault/activity_log_test.go
@@ -91,6 +91,54 @@ func TestActivityLog_Creation(t *testing.T) {
 	}
 }
 
+func TestActivityLog_Creation_WrappingTokens(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+
+	a := core.activityLog
+	a.SetEnable(true)
+
+	if a == nil {
+		t.Fatal("no activity log found")
+	}
+	if a.logger == nil || a.view == nil {
+		t.Fatal("activity log not initialized")
+	}
+	a.fragmentLock.Lock()
+	if a.fragment != nil {
+		t.Fatal("activity log already has fragment")
+	}
+	a.fragmentLock.Unlock()
+	const namespace_id = "ns123"
+
+	a.HandleTokenCreation(&logical.TokenEntry{
+		Path:         "test",
+		Policies:     []string{responseWrappingPolicyName},
+		CreationTime: time.Now().Unix(),
+		TTL:          3600,
+		NamespaceID:  namespace_id,
+	})
+
+	a.fragmentLock.Lock()
+	if a.fragment != nil {
+		t.Fatal("fragment created")
+	}
+	a.fragmentLock.Unlock()
+
+	a.HandleTokenCreation(&logical.TokenEntry{
+		Path:         "test",
+		Policies:     []string{controlGroupPolicyName},
+		CreationTime: time.Now().Unix(),
+		TTL:          3600,
+		NamespaceID:  namespace_id,
+	})
+
+	a.fragmentLock.Lock()
+	if a.fragment != nil {
+		t.Fatal("fragment created")
+	}
+	a.fragmentLock.Unlock()
+}
+
 func checkExpectedEntitiesInMap(t *testing.T, a *ActivityLog, entityIDs []string) {
 	t.Helper()
 

diff --git a/vault/wrapping.go b/vault/wrapping.go
@@ -444,11 +444,7 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 		return false, nil
 	}
 
-	if len(te.Policies) != 1 {
-		return false, nil
-	}
-
-	if te.Policies[0] != responseWrappingPolicyName && te.Policies[0] != controlGroupPolicyName {
+	if !IsWrappingToken(te) {
 		return false, nil
 	}
 
@@ -460,3 +456,15 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 
 	return true, nil
 }
+
+func IsWrappingToken(te *logical.TokenEntry) bool {
+	if len(te.Policies) != 1 {
+		return false
+	}
+
+	if te.Policies[0] != responseWrappingPolicyName && te.Policies[0] != controlGroupPolicyName {
+		return false
+	}
+
+	return true
+}