open-vault/vault/router.go

474 lines
12 KiB
Go
Raw Normal View History

2015-03-06 01:23:56 +00:00
package vault
import (
"fmt"
"strings"
"sync"
2015-04-08 23:43:17 +00:00
"time"
2015-03-06 01:23:56 +00:00
2015-04-08 23:43:17 +00:00
"github.com/armon/go-metrics"
2015-03-06 01:23:56 +00:00
"github.com/armon/go-radix"
"github.com/hashicorp/vault/helper/salt"
"github.com/hashicorp/vault/logical"
2015-03-06 01:23:56 +00:00
)
// Router is used to do prefix based routing of a request to a logical backend
type Router struct {
l sync.RWMutex
root *radix.Tree
mountUUIDCache *radix.Tree
mountAccessorCache *radix.Tree
tokenStoreSaltFunc func() (*salt.Salt, error)
// storagePrefix maps the prefix used for storage (ala the BarrierView)
// to the backend. This is used to map a key back into the backend that owns it.
// For example, logical/uuid1/foobar -> secrets/ (generic backend) + foobar
storagePrefix *radix.Tree
2015-03-06 01:23:56 +00:00
}
// NewRouter returns a new router
func NewRouter() *Router {
r := &Router{
root: radix.New(),
storagePrefix: radix.New(),
mountUUIDCache: radix.New(),
mountAccessorCache: radix.New(),
2015-03-06 01:23:56 +00:00
}
return r
}
// routeEntry is used to represent a mount point in the router
type routeEntry struct {
tainted bool
backend logical.Backend
mountEntry *MountEntry
storageView *BarrierView
rootPaths *radix.Tree
loginPaths *radix.Tree
2015-03-06 01:23:56 +00:00
}
2016-05-15 16:58:36 +00:00
// SaltID is used to apply a salt and hash to an ID to make sure its not reversible
func (re *routeEntry) SaltID(id string) string {
return salt.SaltID(re.mountEntry.UUID, id, salt.SHA1Hash)
}
// Mount is used to expose a logical backend at a given prefix, using a unique salt,
// and the barrier view for that path.
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error {
2015-03-06 01:23:56 +00:00
r.l.Lock()
defer r.l.Unlock()
// Check if this is a nested mount
if existing, _, ok := r.root.LongestPrefix(prefix); ok && existing != "" {
return fmt.Errorf("cannot mount under existing mount '%s'", existing)
}
2015-03-31 00:46:18 +00:00
// Build the paths
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 05:02:03 +00:00
paths := new(logical.Paths)
if backend != nil {
specialPaths := backend.SpecialPaths()
if specialPaths != nil {
paths = specialPaths
}
2015-03-06 01:23:56 +00:00
}
// Create a mount entry
re := &routeEntry{
tainted: false,
backend: backend,
mountEntry: mountEntry,
storageView: storageView,
rootPaths: pathsToRadix(paths.Root),
loginPaths: pathsToRadix(paths.Unauthenticated),
2015-03-06 01:23:56 +00:00
}
switch {
case prefix == "":
return fmt.Errorf("missing prefix to be used for router entry; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
case storageView.prefix == "":
return fmt.Errorf("missing storage view prefix; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
case re.mountEntry.UUID == "":
return fmt.Errorf("missing mount identifier; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
case re.mountEntry.Accessor == "":
return fmt.Errorf("missing mount accessor; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
}
r.root.Insert(prefix, re)
r.storagePrefix.Insert(storageView.prefix, re)
2017-06-17 03:54:19 +00:00
r.mountUUIDCache.Insert(re.mountEntry.UUID, re.mountEntry)
r.mountAccessorCache.Insert(re.mountEntry.Accessor, re.mountEntry)
2015-03-06 01:23:56 +00:00
return nil
}
// Unmount is used to remove a logical backend from a given prefix
func (r *Router) Unmount(prefix string) error {
r.l.Lock()
defer r.l.Unlock()
// Fast-path out if the backend doesn't exist
raw, ok := r.root.Get(prefix)
if !ok {
return nil
}
// Call backend's Cleanup routine
re := raw.(*routeEntry)
re.backend.Cleanup()
// Purge from the radix trees
2015-03-06 01:23:56 +00:00
r.root.Delete(prefix)
r.storagePrefix.Delete(re.storageView.prefix)
2017-06-17 03:54:19 +00:00
r.mountUUIDCache.Delete(re.mountEntry.UUID)
r.mountAccessorCache.Delete(re.mountEntry.Accessor)
2015-03-06 01:23:56 +00:00
return nil
}
// Remount is used to change the mount location of a logical backend
func (r *Router) Remount(src, dst string) error {
r.l.Lock()
defer r.l.Unlock()
// Check for existing mount
raw, ok := r.root.Get(src)
if !ok {
return fmt.Errorf("no mount at '%s'", src)
}
// Update the mount point
r.root.Delete(src)
r.root.Insert(dst, raw)
return nil
}
2015-04-02 18:12:13 +00:00
// Taint is used to mark a path as tainted. This means only RollbackOperation
2016-03-01 01:29:04 +00:00
// RevokeOperation requests are allowed to proceed
2015-04-02 18:12:13 +00:00
func (r *Router) Taint(path string) error {
r.l.Lock()
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = true
2015-04-02 18:12:13 +00:00
}
return nil
}
2015-04-02 19:01:53 +00:00
// Untaint is used to unmark a path as tainted.
func (r *Router) Untaint(path string) error {
r.l.Lock()
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = false
2015-04-02 19:01:53 +00:00
}
return nil
}
2017-06-17 03:54:19 +00:00
func (r *Router) MatchingMountByUUID(mountID string) *MountEntry {
if mountID == "" {
return nil
}
r.l.RLock()
defer r.l.RUnlock()
2017-06-17 03:54:19 +00:00
_, raw, ok := r.mountUUIDCache.LongestPrefix(mountID)
if !ok {
return nil
}
return raw.(*MountEntry)
}
// MatchingMountByAccessor returns the MountEntry by accessor lookup
func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry {
if mountAccessor == "" {
return nil
}
r.l.RLock()
defer r.l.RUnlock()
_, raw, ok := r.mountAccessorCache.LongestPrefix(mountAccessor)
if !ok {
return nil
}
return raw.(*MountEntry)
}
2015-04-02 18:03:59 +00:00
// MatchingMount returns the mount prefix that would be used for a path
func (r *Router) MatchingMount(path string) string {
r.l.RLock()
mount, _, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return ""
}
return mount
}
// MatchingStorageView returns the storageView used for a path
func (r *Router) MatchingStorageView(path string) *BarrierView {
2015-04-02 18:03:59 +00:00
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).storageView
}
// MatchingMountEntry returns the MountEntry used for a path
func (r *Router) MatchingMountEntry(path string) *MountEntry {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).mountEntry
}
// MatchingBackend returns the backend used for a path
func (r *Router) MatchingBackend(path string) logical.Backend {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).backend
}
// MatchingSystemView returns the SystemView used for a path
func (r *Router) MatchingSystemView(path string) logical.SystemView {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).backend.System()
2015-04-02 18:03:59 +00:00
}
// MatchingStoragePrefix returns the mount path matching and storage prefix
// matching the given path
func (r *Router) MatchingStoragePrefix(path string) (string, string, bool) {
r.l.RLock()
_, raw, ok := r.storagePrefix.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return "", "", false
}
// Extract the mount path and storage prefix
re := raw.(*routeEntry)
mountPath := re.mountEntry.Path
prefix := re.storageView.prefix
// Add back the prefix for credential backends
if strings.HasPrefix(path, credentialBarrierPrefix) {
mountPath = credentialRoutePrefix + mountPath
}
return mountPath, prefix, true
}
2015-03-06 01:23:56 +00:00
// Route is used to route a given request
func (r *Router) Route(req *logical.Request) (*logical.Response, error) {
2016-01-12 20:09:16 +00:00
resp, _, _, err := r.routeCommon(req, false)
return resp, err
}
// Route is used to route a given existence check request
2016-01-12 20:09:16 +00:00
func (r *Router) RouteExistenceCheck(req *logical.Request) (bool, bool, error) {
_, ok, exists, err := r.routeCommon(req, true)
return ok, exists, err
}
2016-01-12 20:09:16 +00:00
func (r *Router) routeCommon(req *logical.Request, existenceCheck bool) (*logical.Response, bool, bool, error) {
2015-03-06 01:23:56 +00:00
// Find the mount point
r.l.RLock()
adjustedPath := req.Path
mount, raw, ok := r.root.LongestPrefix(adjustedPath)
if !ok && !strings.HasSuffix(adjustedPath, "/") {
// Re-check for a backend by appending a slash. This lets "foo" mean
// "foo/" at the root level which is almost always what we want.
adjustedPath += "/"
mount, raw, ok = r.root.LongestPrefix(adjustedPath)
}
2015-03-06 01:23:56 +00:00
r.l.RUnlock()
if !ok {
2016-01-12 20:09:16 +00:00
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
2015-03-06 01:23:56 +00:00
}
req.Path = adjustedPath
defer metrics.MeasureSince([]string{"route", string(req.Operation),
strings.Replace(mount, "/", "-", -1)}, time.Now())
re := raw.(*routeEntry)
2015-03-06 01:23:56 +00:00
2015-04-02 18:12:13 +00:00
// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if re.tainted {
2015-04-02 18:12:13 +00:00
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default:
2016-01-12 20:09:16 +00:00
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
2015-04-02 18:12:13 +00:00
}
}
// Adjust the path to exclude the routing prefix
2016-09-29 04:01:28 +00:00
originalPath := req.Path
2015-03-06 01:23:56 +00:00
req.Path = strings.TrimPrefix(req.Path, mount)
req.MountPoint = mount
Create unified aws auth backend (#2441) * Rename builtin/credential/aws-ec2 to aws The aws-ec2 authentication backend is being expanded and will become the generic aws backend. This is a small rename commit to keep the commit history clean. * Expand aws-ec2 backend to more generic aws This adds the ability to authenticate arbitrary AWS IAM principals using AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to just AWS with the expansion. * Add missing aws auth handler to CLI This was omitted from the previous commit * aws auth backend general variable name cleanup Also fixed a bug where allowed auth types weren't being checked upon login, and added tests for it. * Update docs for the aws auth backend * Refactor aws bind validation * Fix env var override in aws backend test Intent is to override the AWS environment variables with the TEST_* versions if they are set, but the reverse was happening. * Update docs on use of IAM authentication profile AWS now allows you to change the instance profile of a running instance, so the use case of "a long-lived instance that's not in an instance profile" no longer means you have to use the the EC2 auth method. You can now just change the instance profile on the fly. * Fix typo in aws auth cli help * Respond to PR feedback * More PR feedback * Respond to additional PR feedback * Address more feedback on aws auth PR * Make aws auth_type immutable per role * Address more aws auth PR feedback * Address more iam auth PR feedback * Rename aws-ec2.html.md to aws.html.md Per PR feedback, to go along with new backend name. * Add MountType to logical.Request * Make default aws auth_type dependent upon MountType When MountType is aws-ec2, default to ec2 auth_type for backwards compatibility with legacy roles. Otherwise, default to iam. * Pass MountPoint and MountType back up to the core Previously the request router reset the MountPoint and MountType back to the empty string before returning to the core. This ensures they get set back to the correct values.
2017-04-24 19:15:50 +00:00
req.MountType = re.mountEntry.Type
if req.Path == "/" {
req.Path = ""
}
// Attach the storage view for the request
req.Storage = re.storageView
// Hash the request token unless this is the token backend
clientToken := req.ClientToken
switch {
2016-09-29 04:01:28 +00:00
case strings.HasPrefix(originalPath, "auth/token/"):
case strings.HasPrefix(originalPath, "sys/"):
case strings.HasPrefix(originalPath, "cubbyhole/"):
// In order for the token store to revoke later, we need to have the same
// salted ID, so we double-salt what's going to the cubbyhole backend
salt, err := r.tokenStoreSaltFunc()
if err != nil {
return nil, false, false, err
}
req.ClientToken = re.SaltID(salt.SaltID(req.ClientToken))
default:
req.ClientToken = re.SaltID(req.ClientToken)
}
2015-03-06 01:23:56 +00:00
2016-02-18 16:22:04 +00:00
// Cache the pointer to the original connection object
originalConn := req.Connection
2016-07-24 01:46:28 +00:00
// Cache the identifier of the request
originalReqID := req.ID
// Cache the client token's number of uses in the request
originalClientTokenRemainingUses := req.ClientTokenRemainingUses
req.ClientTokenRemainingUses = 0
// Cache the headers and hide them from backends
headers := req.Headers
req.Headers = nil
2017-01-04 21:44:03 +00:00
// Cache the wrap info of the request
var wrapInfo *logical.RequestWrapInfo
if req.WrapInfo != nil {
wrapInfo = &logical.RequestWrapInfo{
TTL: req.WrapInfo.TTL,
Format: req.WrapInfo.Format,
}
}
2016-09-29 04:01:28 +00:00
2015-03-06 01:23:56 +00:00
// Reset the request before returning
defer func() {
2016-09-29 04:01:28 +00:00
req.Path = originalPath
Create unified aws auth backend (#2441) * Rename builtin/credential/aws-ec2 to aws The aws-ec2 authentication backend is being expanded and will become the generic aws backend. This is a small rename commit to keep the commit history clean. * Expand aws-ec2 backend to more generic aws This adds the ability to authenticate arbitrary AWS IAM principals using AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to just AWS with the expansion. * Add missing aws auth handler to CLI This was omitted from the previous commit * aws auth backend general variable name cleanup Also fixed a bug where allowed auth types weren't being checked upon login, and added tests for it. * Update docs for the aws auth backend * Refactor aws bind validation * Fix env var override in aws backend test Intent is to override the AWS environment variables with the TEST_* versions if they are set, but the reverse was happening. * Update docs on use of IAM authentication profile AWS now allows you to change the instance profile of a running instance, so the use case of "a long-lived instance that's not in an instance profile" no longer means you have to use the the EC2 auth method. You can now just change the instance profile on the fly. * Fix typo in aws auth cli help * Respond to PR feedback * More PR feedback * Respond to additional PR feedback * Address more feedback on aws auth PR * Make aws auth_type immutable per role * Address more aws auth PR feedback * Address more iam auth PR feedback * Rename aws-ec2.html.md to aws.html.md Per PR feedback, to go along with new backend name. * Add MountType to logical.Request * Make default aws auth_type dependent upon MountType When MountType is aws-ec2, default to ec2 auth_type for backwards compatibility with legacy roles. Otherwise, default to iam. * Pass MountPoint and MountType back up to the core Previously the request router reset the MountPoint and MountType back to the empty string before returning to the core. This ensures they get set back to the correct values.
2017-04-24 19:15:50 +00:00
req.MountPoint = mount
req.MountType = re.mountEntry.Type
req.Connection = originalConn
2016-07-24 01:46:28 +00:00
req.ID = originalReqID
req.Storage = nil
2015-03-24 18:09:25 +00:00
req.ClientToken = clientToken
req.ClientTokenRemainingUses = originalClientTokenRemainingUses
2017-01-04 21:44:03 +00:00
req.WrapInfo = wrapInfo
req.Headers = headers
2017-03-01 17:39:42 +00:00
// This is only set in one place, after routing, so should never be set
// by a backend
req.SetLastRemoteWAL(0)
2015-03-06 01:23:56 +00:00
}()
// Invoke the backend
if existenceCheck {
2016-01-12 20:09:16 +00:00
ok, exists, err := re.backend.HandleExistenceCheck(req)
return nil, ok, exists, err
} else {
resp, err := re.backend.HandleRequest(req)
2016-01-12 20:09:16 +00:00
return resp, false, false, err
}
2015-03-06 01:23:56 +00:00
}
// RootPath checks if the given path requires root privileges
func (r *Router) RootPath(path string) bool {
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return false
}
re := raw.(*routeEntry)
2015-03-06 01:23:56 +00:00
// Trim to get remaining path
remain := strings.TrimPrefix(path, mount)
// Check the rootPaths of this backend
match, raw, ok := re.rootPaths.LongestPrefix(remain)
2015-03-06 01:23:56 +00:00
if !ok {
return false
}
prefixMatch := raw.(bool)
// Handle the prefix match case
if prefixMatch {
return strings.HasPrefix(remain, match)
}
// Handle the exact match case
return match == remain
}
// LoginPath checks if the given path is used for logins
func (r *Router) LoginPath(path string) bool {
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return false
}
re := raw.(*routeEntry)
// Trim to get remaining path
remain := strings.TrimPrefix(path, mount)
// Check the loginPaths of this backend
match, raw, ok := re.loginPaths.LongestPrefix(remain)
if !ok {
return false
}
prefixMatch := raw.(bool)
// Handle the prefix match case
if prefixMatch {
return strings.HasPrefix(remain, match)
}
// Handle the exact match case
return match == remain
}
2015-03-31 00:46:18 +00:00
// pathsToRadix converts a the mapping of special paths to a mapping
// of special paths to radix trees.
func pathsToRadix(paths []string) *radix.Tree {
tree := radix.New()
for _, path := range paths {
// Check if this is a prefix or exact match
prefixMatch := len(path) >= 1 && path[len(path)-1] == '*'
if prefixMatch {
path = path[:len(path)-1]
}
2015-03-31 00:46:18 +00:00
tree.Insert(path, prefixMatch)
}
2015-03-31 00:46:18 +00:00
return tree
}