276 lines
10 KiB
Go
276 lines
10 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package api
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"errors"
|
|
"flag"
|
|
"net/url"
|
|
"os"
|
|
"regexp"
|
|
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
|
|
|
"github.com/hashicorp/errwrap"
|
|
)
|
|
|
|
const (
|
|
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
|
|
// setting a TLSProviderFunc for a plugin.
|
|
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"
|
|
|
|
// PluginMetadataModeEnv is an ENV name used to disable TLS communication
|
|
// to bootstrap mounting plugins.
|
|
PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
|
|
|
|
// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
|
|
// plugin.
|
|
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
|
|
)
|
|
|
|
// sudoPaths is a map containing the paths that require a token's policy
|
|
// to have the "sudo" capability. The keys are the paths as strings, in
|
|
// the same format as they are returned by the OpenAPI spec. The values
|
|
// are the regular expressions that can be used to test whether a given
|
|
// path matches that path or not (useful specifically for the paths that
|
|
// contain templated fields.)
|
|
var sudoPaths = map[string]*regexp.Regexp{
|
|
"/auth/token/accessors": regexp.MustCompile(`^/auth/token/accessors/?$`),
|
|
"/pki/root": regexp.MustCompile(`^/pki/root$`),
|
|
"/pki/root/sign-self-issued": regexp.MustCompile(`^/pki/root/sign-self-issued$`),
|
|
"/sys/audit": regexp.MustCompile(`^/sys/audit$`),
|
|
"/sys/audit/{path}": regexp.MustCompile(`^/sys/audit/.+$`),
|
|
"/sys/auth/{path}": regexp.MustCompile(`^/sys/auth/.+$`),
|
|
"/sys/auth/{path}/tune": regexp.MustCompile(`^/sys/auth/.+/tune$`),
|
|
"/sys/config/auditing/request-headers": regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
|
|
"/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
|
|
"/sys/config/cors": regexp.MustCompile(`^/sys/config/cors$`),
|
|
"/sys/config/ui/headers": regexp.MustCompile(`^/sys/config/ui/headers/?$`),
|
|
"/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
|
|
"/sys/leases": regexp.MustCompile(`^/sys/leases$`),
|
|
"/sys/leases/lookup/": regexp.MustCompile(`^/sys/leases/lookup/?$`),
|
|
"/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup/.+$`),
|
|
"/sys/leases/revoke-force/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),
|
|
"/sys/leases/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),
|
|
"/sys/plugins/catalog/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`),
|
|
"/sys/plugins/catalog/{type}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+$`),
|
|
"/sys/plugins/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+/[^/]+$`),
|
|
"/sys/raw": regexp.MustCompile(`^/sys/raw$`),
|
|
"/sys/raw/{path}": regexp.MustCompile(`^/sys/raw/.+$`),
|
|
"/sys/remount": regexp.MustCompile(`^/sys/remount$`),
|
|
"/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`),
|
|
"/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),
|
|
"/sys/rotate": regexp.MustCompile(`^/sys/rotate$`),
|
|
"/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
|
|
|
|
// enterprise-only paths
|
|
"/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),
|
|
"/sys/replication/performance/primary/secondary-token": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),
|
|
"/sys/replication/primary/secondary-token": regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),
|
|
"/sys/replication/reindex": regexp.MustCompile(`^/sys/replication/reindex$`),
|
|
"/sys/storage/raft/snapshot-auto/config/": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
|
|
"/sys/storage/raft/snapshot-auto/config/{name}": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
|
|
}
|
|
|
|
// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
|
|
// back to Vault.
|
|
type PluginAPIClientMeta struct {
|
|
// These are set by the command line flags.
|
|
flagCACert string
|
|
flagCAPath string
|
|
flagClientCert string
|
|
flagClientKey string
|
|
flagServerName string
|
|
flagInsecure bool
|
|
}
|
|
|
|
// FlagSet returns the flag set for configuring the TLS connection
|
|
func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
|
|
fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError)
|
|
|
|
fs.StringVar(&f.flagCACert, "ca-cert", "", "")
|
|
fs.StringVar(&f.flagCAPath, "ca-path", "", "")
|
|
fs.StringVar(&f.flagClientCert, "client-cert", "", "")
|
|
fs.StringVar(&f.flagClientKey, "client-key", "", "")
|
|
fs.StringVar(&f.flagServerName, "tls-server-name", "", "")
|
|
fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")
|
|
|
|
return fs
|
|
}
|
|
|
|
// GetTLSConfig will return a TLSConfig based off the values from the flags
|
|
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {
|
|
// If we need custom TLS configuration, then set it
|
|
if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure || f.flagServerName != "" {
|
|
t := &TLSConfig{
|
|
CACert: f.flagCACert,
|
|
CAPath: f.flagCAPath,
|
|
ClientCert: f.flagClientCert,
|
|
ClientKey: f.flagClientKey,
|
|
TLSServerName: f.flagServerName,
|
|
Insecure: f.flagInsecure,
|
|
}
|
|
|
|
return t
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.
|
|
func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
|
return VaultPluginTLSProviderContext(context.Background(), apiTLSConfig)
|
|
}
|
|
|
|
// VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
|
|
// wrapped TLS certificate from vault. It returns a configured TLS Config.
|
|
func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
|
if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
|
|
return nil
|
|
}
|
|
|
|
return func() (*tls.Config, error) {
|
|
unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
|
|
|
|
parsedJWT, err := jwt.ParseSigned(unwrapToken)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
|
|
}
|
|
|
|
allClaims := make(map[string]interface{})
|
|
if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
|
|
return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
|
|
}
|
|
|
|
addrClaimRaw, ok := allClaims["addr"]
|
|
if !ok {
|
|
return nil, errors.New("could not validate addr claim")
|
|
}
|
|
vaultAddr, ok := addrClaimRaw.(string)
|
|
if !ok {
|
|
return nil, errors.New("could not parse addr claim")
|
|
}
|
|
if vaultAddr == "" {
|
|
return nil, errors.New(`no vault api_addr found`)
|
|
}
|
|
|
|
// Sanity check the value
|
|
if _, err := url.Parse(vaultAddr); err != nil {
|
|
return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
|
|
}
|
|
|
|
// Unwrap the token
|
|
clientConf := DefaultConfig()
|
|
clientConf.Address = vaultAddr
|
|
if apiTLSConfig != nil {
|
|
err := clientConf.ConfigureTLS(apiTLSConfig)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error configuring api client {{err}}", err)
|
|
}
|
|
}
|
|
client, err := NewClient(clientConf)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error during api client creation: {{err}}", err)
|
|
}
|
|
|
|
// Reset token value to make sure nothing has been set by default
|
|
client.ClearToken()
|
|
|
|
secret, err := client.Logical().UnwrapWithContext(ctx, unwrapToken)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error during token unwrap request: {{err}}", err)
|
|
}
|
|
if secret == nil {
|
|
return nil, errors.New("error during token unwrap request: secret is nil")
|
|
}
|
|
|
|
// Retrieve and parse the server's certificate
|
|
serverCertBytesRaw, ok := secret.Data["ServerCert"].(string)
|
|
if !ok {
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
}
|
|
|
|
serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
|
}
|
|
|
|
serverCert, err := x509.ParseCertificate(serverCertBytes)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
|
}
|
|
|
|
// Retrieve and parse the server's private key
|
|
serverKeyB64, ok := secret.Data["ServerKey"].(string)
|
|
if !ok {
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
}
|
|
|
|
serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
|
}
|
|
|
|
serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
|
}
|
|
|
|
// Add CA cert to the cert pool
|
|
caCertPool := x509.NewCertPool()
|
|
caCertPool.AddCert(serverCert)
|
|
|
|
// Build a certificate object out of the server's cert and private key.
|
|
cert := tls.Certificate{
|
|
Certificate: [][]byte{serverCertBytes},
|
|
PrivateKey: serverKey,
|
|
Leaf: serverCert,
|
|
}
|
|
|
|
// Setup TLS config
|
|
tlsConfig := &tls.Config{
|
|
ClientCAs: caCertPool,
|
|
RootCAs: caCertPool,
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
// TLS 1.2 minimum
|
|
MinVersion: tls.VersionTLS12,
|
|
Certificates: []tls.Certificate{cert},
|
|
ServerName: serverCert.Subject.CommonName,
|
|
}
|
|
|
|
return tlsConfig, nil
|
|
}
|
|
}
|
|
|
|
func SudoPaths() map[string]*regexp.Regexp {
|
|
return sudoPaths
|
|
}
|
|
|
|
// Determine whether the given path requires the sudo capability.
|
|
// Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces,
|
|
// or for secret engines mounted at non-default paths.
|
|
func IsSudoPath(path string) bool {
|
|
// Return early if the path is any of the non-templated sudo paths.
|
|
if _, ok := sudoPaths[path]; ok {
|
|
return true
|
|
}
|
|
|
|
// Some sudo paths have templated fields in them.
|
|
// (e.g. /sys/revoke-prefix/{prefix})
|
|
// The values in the sudoPaths map are actually regular expressions,
|
|
// so we can check if our path matches against them.
|
|
for _, sudoPathRegexp := range sudoPaths {
|
|
match := sudoPathRegexp.MatchString(path)
|
|
if match {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|