open-vault/http/sys_seal.go

package http

import (
	"context"
	"encoding/base64"
	"encoding/hex"
	"errors"
	"net/http"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"github.com/hashicorp/vault/sdk/logical"
	"github.com/hashicorp/vault/vault"
)

func handleSysSeal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		req, _, statusCode, err := buildLogicalRequest(core, w, r)
		if err != nil || statusCode != 0 {
			respondError(w, statusCode, err)
			return
		}

		switch req.Operation {
		case logical.UpdateOperation:
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Seal with the token above
		// We use context.Background since there won't be a request context if the node isn't active
		if err := core.SealWithRequest(r.Context(), req); err != nil {
			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
				respondError(w, http.StatusForbidden, err)
				return
			}
			respondError(w, http.StatusInternalServerError, err)
			return
		}

		respondOk(w, nil)
	})
}

func handleSysStepDown(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		req, _, statusCode, err := buildLogicalRequest(core, w, r)
		if err != nil || statusCode != 0 {
			respondError(w, statusCode, err)
			return
		}

		switch req.Operation {
		case logical.UpdateOperation:
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Seal with the token above
		if err := core.StepDown(r.Context(), req); err != nil {
			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
				respondError(w, http.StatusForbidden, err)
				return
			}
			respondError(w, http.StatusInternalServerError, err)
			return
		}

		respondOk(w, nil)
	})
}

func handleSysUnseal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "PUT":
		case "POST":
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Parse the request
		var req UnsealRequest
		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}

		if req.Reset {
			if !core.Sealed() {
				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
				return
			}
			core.ResetUnsealProcess()
			handleSysSealStatusRaw(core, w, r)
			return
		}

		if req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
			return
		}

		// Decode the key, which is base64 or hex encoded
		min, max := core.BarrierKeyLength()
		key, err := hex.DecodeString(req.Key)
		// We check min and max here to ensure that a string that is base64
		// encoded but also valid hex will not be valid and we instead base64
		// decode it
		if err != nil || len(key) < min || len(key) > max {
			key, err = base64.StdEncoding.DecodeString(req.Key)
			if err != nil {
				respondError(
					w, http.StatusBadRequest,
					errors.New("'key' must be a valid hex or base64 string"))
				return
			}
		}

		// Attempt the unseal.  If migrate was specified, the key should correspond
		// to the old seal.
		if req.Migrate {
			_, err = core.UnsealMigrate(key)
		} else {
			_, err = core.Unseal(key)
		}
		if err != nil {
			switch {
			case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
			case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
			case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
			case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
			case errwrap.Contains(err, consts.ErrStandby.Error()):
			default:
				respondError(w, http.StatusInternalServerError, err)
				return
			}
			respondError(w, http.StatusBadRequest, err)
			return
		}

		// Return the seal status
		handleSysSealStatusRaw(core, w, r)
	})
}

func handleSysSealStatus(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "GET" {
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		handleSysSealStatusRaw(core, w, r)
	})
}

func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	ctx := context.Background()
	status, err := core.GetSealStatus(ctx)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	respondOk(w, status)
}

// Note: because we didn't provide explicit tagging in the past we can't do it
// now because if it then no longer accepts capitalized versions it could break
// clients
type UnsealRequest struct {
	Key     string
	Reset   bool
	Migrate bool
}
http: start the API server 2015-03-12 06:05:16 +00:00			`package http`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`"encoding/base64"`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`"encoding/hex"`
http: start the API server 2015-03-12 06:05:16 +00:00			`"errors"`
			`"net/http"`

http: mask user error away from unseal since its not actionable 2015-03-12 18:26:59 +00:00			`"github.com/hashicorp/errwrap"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/helper/consts"`
			`"github.com/hashicorp/vault/sdk/logical"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/vault"`
http: start the API server 2015-03-12 06:05:16 +00:00			`)`

			`func handleSysSeal(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Merge PR #9390: http: revert resource quota changes 2020-07-07 04:05:28 +00:00			`req, _, statusCode, err := buildLogicalRequest(core, w, r)`
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries. 2016-05-20 17:03:54 +00:00			`if err != nil \|\| statusCode != 0 {`
			`respondError(w, statusCode, err)`
			`return`
			`}`

			`switch req.Operation {`
			`case logical.UpdateOperation:`
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-08-31 21:55:22 +00:00			`default:`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

http: /sys/seal requires a token 2015-03-31 18:45:44 +00:00			`// Seal with the token above`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`// We use context.Background since there won't be a request context if the node isn't active`
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback 2018-07-24 21:50:49 +00:00			`if err := core.SealWithRequest(r.Context(), req); err != nil {`
Set number of pester retries to zero by default and make seal command… (#2093) * Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500 * Fix build * Use 403 instead and update test * Change another 500 to 403 2016-11-16 19:08:09 +00:00			`if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {`
			`respondError(w, http.StatusForbidden, err)`
			`return`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`respondError(w, http.StatusInternalServerError, err)`
			`return`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

			`respondOk(w, nil)`
			`})`
			`}`

Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`func handleSysStepDown(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Merge PR #9390: http: revert resource quota changes 2020-07-07 04:05:28 +00:00			`req, _, statusCode, err := buildLogicalRequest(core, w, r)`
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries. 2016-05-20 17:03:54 +00:00			`if err != nil \|\| statusCode != 0 {`
			`respondError(w, statusCode, err)`
			`return`
			`}`

			`switch req.Operation {`
			`case logical.UpdateOperation:`
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`// Seal with the token above`
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback 2018-07-24 21:50:49 +00:00			`if err := core.StepDown(r.Context(), req); err != nil {`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {`
			`respondError(w, http.StatusForbidden, err)`
			`return`
			`}`
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`respondOk(w, nil)`
			`})`
			`}`

http: start the API server 2015-03-12 06:05:16 +00:00			`func handleSysUnseal(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-08-31 21:55:22 +00:00			`switch r.Method {`
			`case "PUT":`
			`case "POST":`
			`default:`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`// Parse the request`
			`var req UnsealRequest`
Support processing parameters sent as a URL-encoded form (#8325) 2020-02-12 22:20:22 +00:00			`if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`if req.Reset {`
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered 2018-07-24 20:57:25 +00:00			`if !core.Sealed() {`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))`
			`return`
			`}`
			`core.ResetUnsealProcess()`
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`handleSysSealStatusRaw(core, w, r)`
			`return`
			`}`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`if req.Key == "" {`
			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))`
			`return`
			`}`

			`// Decode the key, which is base64 or hex encoded`
			`min, max := core.BarrierKeyLength()`
			`key, err := hex.DecodeString(req.Key)`
			`// We check min and max here to ensure that a string that is base64`
			`// encoded but also valid hex will not be valid and we instead base64`
			`// decode it`
			`if err != nil \|\| len(key) < min \|\| len(key) > max {`
			`key, err = base64.StdEncoding.DecodeString(req.Key)`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00			`if err != nil {`
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must be a valid hex or base64 string"))`
Error when an invalid (as opposed to incorrect) unseal key is given. (#1782) Fixes #1777 2016-08-24 18:15:25 +00:00			`return`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`}`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

Same seal migration oss (#10224) * Refactoring and test improvements. * Support migrating from a given type of autoseal to that same type but with different parameters. 2020-10-23 18:16:04 +00:00			`// Attempt the unseal. If migrate was specified, the key should correspond`
			`// to the old seal.`
			`if req.Migrate {`
			`_, err = core.UnsealMigrate(key)`
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`} else {`
			`_, err = core.Unseal(key)`
			`}`
			`if err != nil {`
			`switch {`
			`case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):`
			`case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):`
			`case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):`
			`case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):`
			`case errwrap.Contains(err, consts.ErrStandby.Error()):`
			`default:`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

http: start the API server 2015-03-12 06:05:16 +00:00			`// Return the seal status`
			`handleSysSealStatusRaw(core, w, r)`
			`})`
			`}`

			`func handleSysSealStatus(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != "GET" {`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`handleSysSealStatusRaw(core, w, r)`
			`})`
			`}`

			`func handleSysSealStatusRaw(core vault.Core, w http.ResponseWriter, r http.Request) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx := context.Background()`
Implement sys/seal-status and sys/leader in system backend (#10725) * Implement sys/seal-status and sys/leader as normal API calls (so that they can be used in namespaces.) * Added changelog. 2021-01-20 20:04:24 +00:00			`status, err := core.GetSealStatus(ctx)`
http: start the API server 2015-03-12 06:05:16 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00
Implement sys/seal-status and sys/leader in system backend (#10725) * Implement sys/seal-status and sys/leader as normal API calls (so that they can be used in namespaces.) * Added changelog. 2021-01-20 20:04:24 +00:00			`respondOk(w, status)`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`// Note: because we didn't provide explicit tagging in the past we can't do it`
			`// now because if it then no longer accepts capitalized versions it could break`
			`// clients`
http: start the API server 2015-03-12 06:05:16 +00:00			`type UnsealRequest struct {`
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`Key string`
			`Reset bool`
			`Migrate bool`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`