luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/http/sys_seal.go

265 lines
7.0 KiB
Go
Raw Normal View History

http: start the API server
2015-03-12 06:05:16 +00:00
package http
import (
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
"context"
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing.
2016-08-15 20:01:15 +00:00
"encoding/base64"
http: test all seal endpoints
2015-03-12 18:12:44 +00:00
"encoding/hex"
http: start the API server
2015-03-12 06:05:16 +00:00
"errors"
http: /sys/seal-status should return 400 if still uninitialized
2015-03-31 06:36:03 +00:00
"fmt"
http: start the API server
2015-03-12 06:05:16 +00:00
"net/http"
http: mask user error away from unseal since its not actionable
2015-03-12 18:26:59 +00:00
"github.com/hashicorp/errwrap"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/version"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/vault"
http: start the API server
2015-03-12 06:05:16 +00:00
)
func handleSysSeal(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Save the original request body for forwarding (#6538) * Save the original request body for forwarding If we are forwarding a request after initial parsing the request body is already consumed. As a result a forwarded call containing a request body will have the body be nil. This saves the original request body for a given request via a TeeReader and uses that in cases of forwarding past body consumption.
2019-04-05 18:36:34 +00:00
req, _, statusCode, err := buildLogicalRequest(core, w, r)
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries.
2016-05-20 17:03:54 +00:00
if err != nil || statusCode != 0 {
respondError(w, statusCode, err)
return
}
switch req.Operation {
case logical.UpdateOperation:
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things
2015-08-31 21:55:22 +00:00
default:
http: start the API server
2015-03-12 06:05:16 +00:00
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
http: /sys/seal requires a token
2015-03-31 18:45:44 +00:00
// Seal with the token above
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
// We use context.Background since there won't be a request context if the node isn't active
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback
2018-07-24 21:50:49 +00:00
if err := core.SealWithRequest(r.Context(), req); err != nil {
Set number of pester retries to zero by default and make seal command… (#2093) * Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500 * Fix build * Use 403 instead and update test * Change another 500 to 403
2016-11-16 19:08:09 +00:00
if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
respondError(w, http.StatusForbidden, err)
return
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
respondError(w, http.StatusInternalServerError, err)
return
http: start the API server
2015-03-12 06:05:16 +00:00
}
respondOk(w, nil)
})
}
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093
2016-02-27 00:43:55 +00:00
func handleSysStepDown(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Save the original request body for forwarding (#6538) * Save the original request body for forwarding If we are forwarding a request after initial parsing the request body is already consumed. As a result a forwarded call containing a request body will have the body be nil. This saves the original request body for a given request via a TeeReader and uses that in cases of forwarding past body consumption.
2019-04-05 18:36:34 +00:00
req, _, statusCode, err := buildLogicalRequest(core, w, r)
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries.
2016-05-20 17:03:54 +00:00
if err != nil || statusCode != 0 {
respondError(w, statusCode, err)
return
}
switch req.Operation {
case logical.UpdateOperation:
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093
2016-02-27 00:43:55 +00:00
default:
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
// Seal with the token above
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback
2018-07-24 21:50:49 +00:00
if err := core.StepDown(r.Context(), req); err != nil {
The big one (#5346)
2018-09-18 03:03:00 +00:00
if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
respondError(w, http.StatusForbidden, err)
return
}
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093
2016-02-27 00:43:55 +00:00
respondError(w, http.StatusInternalServerError, err)
return
}
respondOk(w, nil)
})
}
http: start the API server
2015-03-12 06:05:16 +00:00
func handleSysUnseal(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things
2015-08-31 21:55:22 +00:00
switch r.Method {
case "PUT":
case "POST":
default:
http: start the API server
2015-03-12 06:05:16 +00:00
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
// Parse the request
var req UnsealRequest
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 04:55:31 +00:00
if _, err := parseRequest(core.PerfStandby(), r, w, &req); err != nil {
http: start the API server
2015-03-12 06:05:16 +00:00
respondError(w, http.StatusBadRequest, err)
return
}
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695
2015-10-28 19:59:39 +00:00
if req.Reset {
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 20:57:25 +00:00
if !core.Sealed() {
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695
2015-10-28 19:59:39 +00:00
respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
return
}
core.ResetUnsealProcess()
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
handleSysSealStatusRaw(core, w, r)
return
}
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695
2015-10-28 19:59:39 +00:00
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
isInSealMigration := core.IsInSealMigration()
if !req.Migrate && isInSealMigration {
respondError(
w, http.StatusBadRequest,
errors.New("'migrate' parameter must be set true in JSON body when in seal migration mode"))
return
}
if req.Migrate && !isInSealMigration {
respondError(
w, http.StatusBadRequest,
errors.New("'migrate' parameter set true in JSON body when not in seal migration mode"))
return
}
if req.Key == "" {
respondError(
w, http.StatusBadRequest,
errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
return
}
// Decode the key, which is base64 or hex encoded
min, max := core.BarrierKeyLength()
key, err := hex.DecodeString(req.Key)
// We check min and max here to ensure that a string that is base64
// encoded but also valid hex will not be valid and we instead base64
// decode it
if err != nil || len(key) < min || len(key) > max {
key, err = base64.StdEncoding.DecodeString(req.Key)
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests
2017-11-07 20:15:39 +00:00
if err != nil {
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
respondError(
w, http.StatusBadRequest,
errors.New("'key' must be a valid hex or base64 string"))
Error when an invalid (as opposed to incorrect) unseal key is given. (#1782) Fixes #1777
2016-08-24 18:15:25 +00:00
return
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695
2015-10-28 19:59:39 +00:00
}
http: start the API server
2015-03-12 06:05:16 +00:00
}
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
// Attempt the unseal
if core.SealAccess().RecoveryKeySupported() {
_, err = core.UnsealWithRecoveryKeys(key)
} else {
_, err = core.Unseal(key)
}
if err != nil {
switch {
case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
case errwrap.Contains(err, consts.ErrStandby.Error()):
default:
respondError(w, http.StatusInternalServerError, err)
return
}
respondError(w, http.StatusBadRequest, err)
return
}
http: start the API server
2015-03-12 06:05:16 +00:00
// Return the seal status
handleSysSealStatusRaw(core, w, r)
})
}
func handleSysSealStatus(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method != "GET" {
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
handleSysSealStatusRaw(core, w, r)
})
}
func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Request) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
ctx := context.Background()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 20:57:25 +00:00
sealed := core.Sealed()
http: start the API server
2015-03-12 06:05:16 +00:00
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests
2017-11-07 20:15:39 +00:00
var sealConfig *vault.SealConfig
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 20:57:25 +00:00
var err error
Remove context from a few extraneous places
2018-01-19 08:44:06 +00:00
if core.SealAccess().RecoveryKeySupported() {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests
2017-11-07 20:15:39 +00:00
} else {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
sealConfig, err = core.SealAccess().BarrierConfig(ctx)
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests
2017-11-07 20:15:39 +00:00
}
http: start the API server
2015-03-12 06:05:16 +00:00
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests
2017-11-07 20:15:39 +00:00
http: /sys/seal-status should return 400 if still uninitialized
2015-03-31 06:36:03 +00:00
if sealConfig == nil {
Send initialized information via sys/seal-status (#5424)
2018-09-27 21:03:37 +00:00
respondOk(w, &SealStatusResponse{
Type: core.SealAccess().BarrierType(),
Initialized: false,
Sealed: true,
RecoverySeal: core.SealAccess().RecoveryKeySupported(),
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 04:55:31 +00:00
StorageType: core.StorageType(),
Send initialized information via sys/seal-status (#5424)
2018-09-27 21:03:37 +00:00
})
http: /sys/seal-status should return 400 if still uninitialized
2015-03-31 06:36:03 +00:00
return
}
http: start the API server
2015-03-12 06:05:16 +00:00
Add cluster information to 'vault status'
2016-07-29 18:13:53 +00:00
// Fetch the local cluster name and identifier
var clusterName, clusterID string
if !sealed {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
cluster, err := core.Cluster(ctx)
Add cluster information to 'vault status'
2016-07-29 18:13:53 +00:00
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
Address review feedback from @jefferai
2016-08-10 19:22:12 +00:00
if cluster == nil {
respondError(w, http.StatusInternalServerError, fmt.Errorf("failed to fetch cluster details"))
return
}
Add cluster information to 'vault status'
2016-07-29 18:13:53 +00:00
clusterName = cluster.Name
clusterID = cluster.ID
}
Add nonce to unseal to allow seeing if the operation has reset (#2276)
2017-01-17 16:47:06 +00:00
progress, nonce := core.SecretProgress()
http: start the API server
2015-03-12 06:05:16 +00:00
respondOk(w, &SealStatusResponse{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Type: sealConfig.Type,
Send initialized information via sys/seal-status (#5424)
2018-09-27 21:03:37 +00:00
Initialized: true,
The big one (#5346)
2018-09-18 03:03:00 +00:00
Sealed: sealed,
T: sealConfig.SecretThreshold,
N: sealConfig.SecretShares,
Progress: progress,
Nonce: nonce,
Version: version.GetVersion().VersionNumber(),
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
Migration: core.IsInSealMigration(),
The big one (#5346)
2018-09-18 03:03:00 +00:00
ClusterName: clusterName,
ClusterID: clusterID,
RecoverySeal: core.SealAccess().RecoveryKeySupported(),
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 04:55:31 +00:00
StorageType: core.StorageType(),
http: start the API server
2015-03-12 06:05:16 +00:00
})
}
type SealStatusResponse struct {
The big one (#5346)
2018-09-18 03:03:00 +00:00
Type string `json:"type"`
Send initialized information via sys/seal-status (#5424)
2018-09-27 21:03:37 +00:00
Initialized bool `json:"initialized"`
The big one (#5346)
2018-09-18 03:03:00 +00:00
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
Migration bool `json:"migration"`
The big one (#5346)
2018-09-18 03:03:00 +00:00
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
expose 'storage_type' on the sys/seal-status endpoint (#7486) * expose 'storage_type' on the sys/seal-status endpoint * add comments * Update vault/core.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
2019-09-18 19:07:18 +00:00
StorageType string `json:"storage_type,omitempty"`
http: start the API server
2015-03-12 06:05:16 +00:00
}
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
// Note: because we didn't provide explicit tagging in the past we can't do it
// now because if it then no longer accepts capitalized versions it could break
// clients
http: start the API server
2015-03-12 06:05:16 +00:00
type UnsealRequest struct {
Seal migration (OSS) (#781)
2018-10-23 06:34:02 +00:00
Key string
Reset bool
Migrate bool
http: start the API server
2015-03-12 06:05:16 +00:00
}