2015-03-16 02:47:32 +00:00
|
|
|
package api
|
|
|
|
|
2016-05-27 21:01:42 +00:00
|
|
|
import (
|
2018-05-16 00:01:58 +00:00
|
|
|
"bytes"
|
2018-07-24 22:49:55 +00:00
|
|
|
"context"
|
2018-05-16 00:01:58 +00:00
|
|
|
"fmt"
|
2018-04-04 02:35:45 +00:00
|
|
|
"io"
|
2016-09-29 04:01:28 +00:00
|
|
|
"os"
|
2018-05-16 00:01:58 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/errwrap"
|
|
|
|
"github.com/hashicorp/vault/helper/jsonutil"
|
2016-05-27 21:01:42 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
wrappedResponseLocation = "cubbyhole/response"
|
|
|
|
)
|
|
|
|
|
2016-09-29 04:01:28 +00:00
|
|
|
var (
|
|
|
|
// The default TTL that will be used with `sys/wrapping/wrap`, can be
|
|
|
|
// changed
|
|
|
|
DefaultWrappingTTL = "5m"
|
|
|
|
|
|
|
|
// The default function used if no other function is set, which honors the
|
|
|
|
// env var and wraps `sys/wrapping/wrap`
|
|
|
|
DefaultWrappingLookupFunc = func(operation, path string) string {
|
|
|
|
if os.Getenv(EnvVaultWrapTTL) != "" {
|
|
|
|
return os.Getenv(EnvVaultWrapTTL)
|
|
|
|
}
|
|
|
|
|
|
|
|
if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
|
|
|
|
return DefaultWrappingTTL
|
|
|
|
}
|
|
|
|
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2015-03-16 02:47:32 +00:00
|
|
|
// Logical is used to perform logical backend operations on Vault.
|
|
|
|
type Logical struct {
|
|
|
|
c *Client
|
|
|
|
}
|
|
|
|
|
|
|
|
// Logical is used to return the client for logical-backend API calls.
|
|
|
|
func (c *Client) Logical() *Logical {
|
|
|
|
return &Logical{c: c}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Logical) Read(path string) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("GET", "/v1/"+path)
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
}
|
2015-04-07 18:15:20 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
case io.EOF:
|
|
|
|
return nil, nil
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
|
|
|
return secret, nil
|
|
|
|
}
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, nil
|
2015-04-07 18:15:20 +00:00
|
|
|
}
|
2015-03-16 02:47:32 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2015-09-14 19:42:12 +00:00
|
|
|
func (c *Logical) List(path string) (*Secret, error) {
|
2016-09-02 05:13:14 +00:00
|
|
|
r := c.c.NewRequest("LIST", "/v1/"+path)
|
|
|
|
// Set this for broader compatibility, but we use LIST above to be able to
|
|
|
|
// handle the wrapping lookup function
|
|
|
|
r.Method = "GET"
|
2016-01-14 19:18:27 +00:00
|
|
|
r.Params.Set("list", "true")
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-09-14 21:30:42 +00:00
|
|
|
if resp != nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
}
|
2015-09-14 19:42:12 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
case io.EOF:
|
|
|
|
return nil, nil
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
|
|
|
return secret, nil
|
|
|
|
}
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, nil
|
2015-09-14 19:42:12 +00:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2015-04-06 16:53:43 +00:00
|
|
|
func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error) {
|
2015-03-16 02:47:32 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/"+path)
|
|
|
|
if err := r.SetJSONBody(data); err != nil {
|
2015-04-06 16:53:43 +00:00
|
|
|
return nil, err
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
}
|
2018-04-04 02:35:45 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
case io.EOF:
|
|
|
|
return nil, nil
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
2018-04-04 08:41:46 +00:00
|
|
|
return secret, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
}
|
2015-03-16 02:47:32 +00:00
|
|
|
if err != nil {
|
2015-04-06 16:53:43 +00:00
|
|
|
return nil, err
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
|
|
|
|
2018-07-12 14:18:50 +00:00
|
|
|
return ParseSecret(resp.Body)
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
2015-04-07 18:04:56 +00:00
|
|
|
|
|
|
|
func (c *Logical) Delete(path string) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("DELETE", "/v1/"+path)
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
}
|
2018-04-04 02:35:45 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
case io.EOF:
|
|
|
|
return nil, nil
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
2018-04-04 08:41:46 +00:00
|
|
|
return secret, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
}
|
2015-04-07 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-12 14:18:50 +00:00
|
|
|
return ParseSecret(resp.Body)
|
2015-04-07 18:04:56 +00:00
|
|
|
}
|
2016-05-27 21:01:42 +00:00
|
|
|
|
|
|
|
func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
|
2016-09-29 04:01:28 +00:00
|
|
|
var data map[string]interface{}
|
2016-11-08 16:36:15 +00:00
|
|
|
if wrappingToken != "" {
|
|
|
|
if c.c.Token() == "" {
|
|
|
|
c.c.SetToken(wrappingToken)
|
|
|
|
} else if wrappingToken != c.c.Token() {
|
|
|
|
data = map[string]interface{}{
|
|
|
|
"token": wrappingToken,
|
|
|
|
}
|
2016-09-29 04:01:28 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
r := c.c.NewRequest("PUT", "/v1/sys/wrapping/unwrap")
|
|
|
|
if err := r.SetJSONBody(data); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-05-27 21:01:42 +00:00
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2016-12-01 21:38:08 +00:00
|
|
|
if resp != nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
}
|
2018-05-16 00:01:58 +00:00
|
|
|
if resp == nil || resp.StatusCode != 404 {
|
|
|
|
if err != nil {
|
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):
* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.
* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.
* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.
* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.
* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.
* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).
* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.
* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.
* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 19:40:03 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-05-16 00:01:58 +00:00
|
|
|
if resp == nil {
|
|
|
|
return nil, nil
|
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):
* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.
* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.
* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.
* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.
* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.
* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).
* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.
* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.
* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 19:40:03 +00:00
|
|
|
}
|
2018-05-16 00:01:58 +00:00
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
|
|
|
// In the 404 case this may actually be a wrapped 404 error
|
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
switch parseErr {
|
|
|
|
case nil:
|
|
|
|
case io.EOF:
|
2016-09-29 04:01:28 +00:00
|
|
|
return nil, nil
|
2018-05-16 00:01:58 +00:00
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
|
|
|
return secret, nil
|
2016-09-29 04:01:28 +00:00
|
|
|
}
|
2018-05-16 00:01:58 +00:00
|
|
|
|
|
|
|
// Otherwise this might be an old-style wrapping token so attempt the old
|
|
|
|
// method
|
|
|
|
if wrappingToken != "" {
|
|
|
|
origToken := c.c.Token()
|
|
|
|
defer c.c.SetToken(origToken)
|
|
|
|
c.c.SetToken(wrappingToken)
|
|
|
|
}
|
|
|
|
|
|
|
|
secret, err = c.Read(wrappedResponseLocation)
|
2016-05-27 21:01:42 +00:00
|
|
|
if err != nil {
|
2018-05-16 00:01:58 +00:00
|
|
|
return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
|
|
|
|
}
|
|
|
|
if secret == nil {
|
|
|
|
return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
|
|
|
|
}
|
|
|
|
if secret.Data == nil {
|
|
|
|
return nil, fmt.Errorf("\"data\" not found in wrapping response")
|
|
|
|
}
|
|
|
|
if _, ok := secret.Data["response"]; !ok {
|
|
|
|
return nil, fmt.Errorf("\"response\" not found in wrapping response \"data\" map")
|
2016-05-27 21:01:42 +00:00
|
|
|
}
|
|
|
|
|
2018-05-16 00:01:58 +00:00
|
|
|
wrappedSecret := new(Secret)
|
|
|
|
buf := bytes.NewBufferString(secret.Data["response"].(string))
|
|
|
|
if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
|
|
|
|
return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return wrappedSecret, nil
|
2016-05-27 21:01:42 +00:00
|
|
|
}
|