From 4ac5aefba9bf617bdc709c69b831b3dfea9ad53b Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Tue, 5 Mar 2024 14:26:17 +0100 Subject: [PATCH] keystore: fix conn leak in {AWS,GCP,Fortanx,Gemalto} backend This commit fixes a TCP conn leak in the AWS, GCP, Fortanix and Gemalto KMS backend. Due to a missing `http.Response.Body.Close` call, the status check in these backends accumulated TCP connections that are not closed by the runtime. This resource leak can cause OOM issues. Fixes #445 Signed-off-by: Andreas Auernhammer --- internal/keystore/aws/secrets-manager.go | 5 ++++- internal/keystore/azure/key-vault.go | 3 ++- internal/keystore/fortanix/keystore.go | 5 ++++- internal/keystore/gcp/secret-manager.go | 5 ++++- internal/keystore/gemalto/key-secure.go | 5 ++++- 5 files changed, 18 insertions(+), 5 deletions(-) diff --git a/internal/keystore/aws/secrets-manager.go b/internal/keystore/aws/secrets-manager.go index c989ecd7..e1e1d859 100644 --- a/internal/keystore/aws/secrets-manager.go +++ b/internal/keystore/aws/secrets-manager.go @@ -112,9 +112,12 @@ func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { } start := time.Now() - if _, err = http.DefaultClient.Do(req); err != nil { + resp, err := http.DefaultClient.Do(req) + if err != nil { return kes.KeyStoreState{}, &keystore.ErrUnreachable{Err: err} } + defer resp.Body.Close() + return kes.KeyStoreState{ Latency: time.Since(start), }, nil diff --git a/internal/keystore/azure/key-vault.go b/internal/keystore/azure/key-vault.go index da394327..ff0e924a 100644 --- a/internal/keystore/azure/key-vault.go +++ b/internal/keystore/azure/key-vault.go @@ -57,7 +57,8 @@ func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { if err != nil { return kes.KeyStoreState{}, &keystore.ErrUnreachable{Err: err} } - resp.Body.Close() + defer resp.Body.Close() + return kes.KeyStoreState{ Latency: time.Since(start), }, nil diff --git a/internal/keystore/fortanix/keystore.go b/internal/keystore/fortanix/keystore.go index add81c37..857adabf 100644 --- a/internal/keystore/fortanix/keystore.go +++ b/internal/keystore/fortanix/keystore.go @@ -189,9 +189,12 @@ func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { } start := time.Now() - if _, err = http.DefaultClient.Do(req); err != nil { + resp, err := http.DefaultClient.Do(req) + if err != nil { return kes.KeyStoreState{}, &keystore.ErrUnreachable{Err: err} } + defer resp.Body.Close() + return kes.KeyStoreState{ Latency: time.Since(start), }, nil diff --git a/internal/keystore/gcp/secret-manager.go b/internal/keystore/gcp/secret-manager.go index d596511c..b7a14609 100644 --- a/internal/keystore/gcp/secret-manager.go +++ b/internal/keystore/gcp/secret-manager.go @@ -112,9 +112,12 @@ func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { } start := time.Now() - if _, err = http.DefaultClient.Do(req); err != nil { + resp, err := http.DefaultClient.Do(req) + if err != nil { return kes.KeyStoreState{}, &keystore.ErrUnreachable{Err: err} } + defer resp.Body.Close() + return kes.KeyStoreState{ Latency: time.Since(start), }, nil diff --git a/internal/keystore/gemalto/key-secure.go b/internal/keystore/gemalto/key-secure.go index 327391de..4e383ee4 100644 --- a/internal/keystore/gemalto/key-secure.go +++ b/internal/keystore/gemalto/key-secure.go @@ -122,9 +122,12 @@ func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { } start := time.Now() - if _, err = http.DefaultClient.Do(req); err != nil { + resp, err := http.DefaultClient.Do(req) + if err != nil { return kes.KeyStoreState{}, &keystore.ErrUnreachable{Err: err} } + defer resp.Body.Close() + return kes.KeyStoreState{ Latency: time.Since(start), }, nil