open-vault/http/sys_generate_root.go

package http

import (
	"encoding/base64"
	"encoding/hex"
	"errors"
	"fmt"
	"io"
	"net/http"

	"github.com/hashicorp/vault/helper/base62"
	"github.com/hashicorp/vault/vault"
)

func handleSysGenerateRootAttempt(core *vault.Core, generateStrategy vault.GenerateRootStrategy) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "GET":
			handleSysGenerateRootAttemptGet(core, w, r, "")
		case "POST", "PUT":
			handleSysGenerateRootAttemptPut(core, w, r, generateStrategy)
		case "DELETE":
			handleSysGenerateRootAttemptDelete(core, w, r)
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
		}
	})
}

func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r *http.Request, otp string) {
	ctx, cancel := core.GetContext()
	defer cancel()

	// Get the current seal configuration
	barrierConfig, err := core.SealAccess().BarrierConfig(ctx)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}
	if barrierConfig == nil {
		respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
		return
	}

	sealConfig := barrierConfig
	if core.SealAccess().RecoveryKeySupported() {
		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
		if err != nil {
			respondError(w, http.StatusInternalServerError, err)
			return
		}
	}

	// Get the generation configuration
	generationConfig, err := core.GenerateRootConfiguration()
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	// Get the progress
	progress, err := core.GenerateRootProgress()
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	// Format the status
	status := &GenerateRootStatusResponse{
		Started:   false,
		Progress:  progress,
		Required:  sealConfig.SecretThreshold,
		Complete:  false,
		OTPLength: vault.TokenLength + 2,
		OTP:       otp,
	}
	if generationConfig != nil {
		status.Nonce = generationConfig.Nonce
		status.Started = true
		status.PGPFingerprint = generationConfig.PGPFingerprint
	}

	respondOk(w, status)
}

func handleSysGenerateRootAttemptPut(core *vault.Core, w http.ResponseWriter, r *http.Request, generateStrategy vault.GenerateRootStrategy) {
	// Parse the request
	var req GenerateRootInitRequest
	if _, err := parseRequest(core, r, w, &req); err != nil && err != io.EOF {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	var err error
	var genned bool

	switch {
	case len(req.PGPKey) > 0, len(req.OTP) > 0:
	default:
		genned = true
		req.OTP, err = base62.Random(vault.TokenLength + 2)
		if err != nil {
			respondError(w, http.StatusInternalServerError, err)
			return
		}
	}

	// Attemptialize the generation
	if err := core.GenerateRootInit(req.OTP, req.PGPKey, generateStrategy); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	if genned {
		handleSysGenerateRootAttemptGet(core, w, r, req.OTP)
		return
	}

	handleSysGenerateRootAttemptGet(core, w, r, "")
}

func handleSysGenerateRootAttemptDelete(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	err := core.GenerateRootCancel()
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}
	respondOk(w, nil)
}

func handleSysGenerateRootUpdate(core *vault.Core, generateStrategy vault.GenerateRootStrategy) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Parse the request
		var req GenerateRootUpdateRequest
		if _, err := parseRequest(core, r, w, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}
		if req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must be specified in request body as JSON"))
			return
		}

		// Decode the key, which is base64 or hex encoded
		min, max := core.BarrierKeyLength()
		key, err := hex.DecodeString(req.Key)
		// We check min and max here to ensure that a string that is base64
		// encoded but also valid hex will not be valid and we instead base64
		// decode it
		if err != nil || len(key) < min || len(key) > max {
			key, err = base64.StdEncoding.DecodeString(req.Key)
			if err != nil {
				respondError(
					w, http.StatusBadRequest,
					errors.New("'key' must be a valid hex or base64 string"))
				return
			}
		}

		ctx, cancel := core.GetContext()
		defer cancel()

		// Use the key to make progress on root generation
		result, err := core.GenerateRootUpdate(ctx, key, req.Nonce, generateStrategy)
		if err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}

		resp := &GenerateRootStatusResponse{
			Complete:       result.Progress == result.Required,
			Nonce:          req.Nonce,
			Progress:       result.Progress,
			Required:       result.Required,
			Started:        true,
			EncodedToken:   result.EncodedToken,
			PGPFingerprint: result.PGPFingerprint,
		}

		if generateStrategy == vault.GenerateStandardRootTokenStrategy {
			resp.EncodedRootToken = result.EncodedToken
		}

		respondOk(w, resp)
	})
}

type GenerateRootInitRequest struct {
	OTP    string `json:"otp"`
	PGPKey string `json:"pgp_key"`
}

type GenerateRootStatusResponse struct {
	Nonce            string `json:"nonce"`
	Started          bool   `json:"started"`
	Progress         int    `json:"progress"`
	Required         int    `json:"required"`
	Complete         bool   `json:"complete"`
	EncodedToken     string `json:"encoded_token"`
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
	OTP              string `json:"otp"`
	OTPLength        int    `json:"otp_length"`
}

type GenerateRootUpdateRequest struct {
	Nonce string
	Key   string
}
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`package http`

			`import (`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`"encoding/base64"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`"encoding/hex"`
			`"errors"`
			`"fmt"`
Fix root generation init not allowing empty input (#5495) 2018-10-10 15:54:12 +00:00			`"io"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`"net/http"`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`"github.com/hashicorp/vault/helper/base62"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`"github.com/hashicorp/vault/vault"`
			`)`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func handleSysGenerateRootAttempt(core *vault.Core, generateStrategy vault.GenerateRootStrategy) http.Handler {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.Method {`
			`case "GET":`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`handleSysGenerateRootAttemptGet(core, w, r, "")`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`case "POST", "PUT":`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`handleSysGenerateRootAttemptPut(core, w, r, generateStrategy)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`case "DELETE":`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`handleSysGenerateRootAttemptDelete(core, w, r)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`}`
			`})`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`func handleSysGenerateRootAttemptGet(core vault.Core, w http.ResponseWriter, r http.Request, otp string) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx, cancel := core.GetContext()`
			`defer cancel()`

Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`// Get the current seal configuration`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`barrierConfig, err := core.SealAccess().BarrierConfig(ctx)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
SealInterface 2016-04-04 14:44:22 +00:00			`if barrierConfig == nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`return`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`sealConfig := barrierConfig`
Remove context from a few extraneous places 2018-01-19 08:44:06 +00:00			`if core.SealAccess().RecoveryKeySupported() {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`sealConfig, err = core.SealAccess().RecoveryConfig(ctx)`
SealInterface 2016-04-04 14:44:22 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
			`}`

Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`// Get the generation configuration`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`generationConfig, err := core.GenerateRootConfiguration()`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`// Get the progress`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`progress, err := core.GenerateRootProgress()`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`// Format the status`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`status := &GenerateRootStatusResponse{`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`Started: false,`
			`Progress: progress,`
			`Required: sealConfig.SecretThreshold,`
			`Complete: false,`
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback 2018-10-17 20:23:04 +00:00			`OTPLength: vault.TokenLength + 2,`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`OTP: otp,`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`
			`if generationConfig != nil {`
			`status.Nonce = generationConfig.Nonce`
			`status.Started = true`
			`status.PGPFingerprint = generationConfig.PGPFingerprint`
			`}`

			`respondOk(w, status)`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func handleSysGenerateRootAttemptPut(core vault.Core, w http.ResponseWriter, r http.Request, generateStrategy vault.GenerateRootStrategy) {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`// Parse the request`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`var req GenerateRootInitRequest`
Save the original request body for forwarding (#6538) * Save the original request body for forwarding If we are forwarding a request after initial parsing the request body is already consumed. As a result a forwarded call containing a request body will have the body be nil. This saves the original request body for a given request via a TeeReader and uses that in cases of forwarding past body consumption. 2019-04-05 18:36:34 +00:00			`if _, err := parseRequest(core, r, w, &req); err != nil && err != io.EOF {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`var err error`
			`var genned bool`

			`switch {`
			`case len(req.PGPKey) > 0, len(req.OTP) > 0:`
			`default:`
			`genned = true`
Simplify base62.Random (#5982) Also move existing base62 encode/decode operations to their only points of use. 2018-12-20 15:40:01 +00:00			`req.OTP, err = base62.Random(vault.TokenLength + 2)`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`// Attemptialize the generation`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if err := core.GenerateRootInit(req.OTP, req.PGPKey, generateStrategy); err != nil {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if genned {`
			`handleSysGenerateRootAttemptGet(core, w, r, req.OTP)`
			`return`
			`}`

			`handleSysGenerateRootAttemptGet(core, w, r, "")`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`func handleSysGenerateRootAttemptDelete(core vault.Core, w http.ResponseWriter, r http.Request) {`
			`err := core.GenerateRootCancel()`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
			`respondOk(w, nil)`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func handleSysGenerateRootUpdate(core *vault.Core, generateStrategy vault.GenerateRootStrategy) http.Handler {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Parse the request`
RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`var req GenerateRootUpdateRequest`
Save the original request body for forwarding (#6538) * Save the original request body for forwarding If we are forwarding a request after initial parsing the request body is already consumed. As a result a forwarded call containing a request body will have the body be nil. This saves the original request body for a given request via a TeeReader and uses that in cases of forwarding past body consumption. 2019-04-05 18:36:34 +00:00			`if _, err := parseRequest(core, r, w, &req); err != nil {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`
			`if req.Key == "" {`
			`respondError(`
			`w, http.StatusBadRequest,`
Fix error message grammar 2017-03-14 21:10:43 +00:00			`errors.New("'key' must be specified in request body as JSON"))`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`return`
			`}`

Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// Decode the key, which is base64 or hex encoded`
			`min, max := core.BarrierKeyLength()`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`key, err := hex.DecodeString(req.Key)`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// We check min and max here to ensure that a string that is base64`
			`// encoded but also valid hex will not be valid and we instead base64`
			`// decode it`
			`if err != nil \|\| len(key) < min \|\| len(key) > max {`
			`key, err = base64.StdEncoding.DecodeString(req.Key)`
			`if err != nil {`
			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must be a valid hex or base64 string"))`
			`return`
			`}`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx, cancel := core.GetContext()`
			`defer cancel()`

Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`// Use the key to make progress on root generation`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`result, err := core.GenerateRootUpdate(ctx, key, req.Nonce, generateStrategy)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`resp := &GenerateRootStatusResponse{`
generate token functions to share common names (#3576) 2017-11-13 20:44:26 +00:00			`Complete: result.Progress == result.Required,`
			`Nonce: req.Nonce,`
			`Progress: result.Progress,`
			`Required: result.Required,`
			`Started: true,`
			`EncodedToken: result.EncodedToken,`
			`PGPFingerprint: result.PGPFingerprint,`
			`}`

			`if generateStrategy == vault.GenerateStandardRootTokenStrategy {`
			`resp.EncodedRootToken = result.EncodedToken`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

			`respondOk(w, resp)`
			`})`
			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`type GenerateRootInitRequest struct {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			OTP string `json:"otp"`
			PGPKey string `json:"pgp_key"`
			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`type GenerateRootStatusResponse struct {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			Nonce string `json:"nonce"`
			Started bool `json:"started"`
			Progress int `json:"progress"`
			Required int `json:"required"`
			Complete bool `json:"complete"`
generate token functions to share common names (#3576) 2017-11-13 20:44:26 +00:00			EncodedToken string `json:"encoded_token"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			EncodedRootToken string `json:"encoded_root_token"`
			PGPFingerprint string `json:"pgp_fingerprint"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			OTP string `json:"otp"`
			OTPLength int `json:"otp_length"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`type GenerateRootUpdateRequest struct {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`Nonce string`
			`Key string`
			`}`