2015-03-16 02:47:32 +00:00
|
|
|
package api
|
|
|
|
|
|
2016-05-27 21:01:42 +00:00
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"fmt"
|
2018-04-04 02:35:45 +00:00
|
|
|
"io"
|
2016-09-29 04:01:28 +00:00
|
|
|
"net/http"
|
|
|
|
|
"os"
|
2016-07-06 16:25:40 +00:00
|
|
|
|
2018-04-05 15:49:21 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
2016-07-06 16:25:40 +00:00
|
|
|
"github.com/hashicorp/vault/helper/jsonutil"
|
2016-05-27 21:01:42 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
wrappedResponseLocation = "cubbyhole/response"
|
|
|
|
|
)
|
|
|
|
|
|
2016-09-29 04:01:28 +00:00
|
|
|
var (
|
|
|
|
|
// The default TTL that will be used with `sys/wrapping/wrap`, can be
|
|
|
|
|
// changed
|
|
|
|
|
DefaultWrappingTTL = "5m"
|
|
|
|
|
|
|
|
|
|
// The default function used if no other function is set, which honors the
|
|
|
|
|
// env var and wraps `sys/wrapping/wrap`
|
|
|
|
|
DefaultWrappingLookupFunc = func(operation, path string) string {
|
|
|
|
|
if os.Getenv(EnvVaultWrapTTL) != "" {
|
|
|
|
|
return os.Getenv(EnvVaultWrapTTL)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
|
|
|
|
|
return DefaultWrappingTTL
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
2015-03-16 02:47:32 +00:00
|
|
|
// Logical is used to perform logical backend operations on Vault.
|
|
|
|
|
type Logical struct {
|
|
|
|
|
c *Client
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Logical is used to return the client for logical-backend API calls.
|
|
|
|
|
func (c *Client) Logical() *Logical {
|
|
|
|
|
return &Logical{c: c}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Logical) Read(path string) (*Secret, error) {
|
|
|
|
|
r := c.c.NewRequest("GET", "/v1/"+path)
|
|
|
|
|
resp, err := c.c.RawRequest(r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
}
|
2015-04-07 18:15:20 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
|
case io.EOF:
|
|
|
|
|
return nil, nil
|
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
|
|
|
|
return secret, nil
|
|
|
|
|
}
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, nil
|
2015-04-07 18:15:20 +00:00
|
|
|
}
|
2015-03-16 02:47:32 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-14 19:42:12 +00:00
|
|
|
func (c *Logical) List(path string) (*Secret, error) {
|
2016-09-02 05:13:14 +00:00
|
|
|
r := c.c.NewRequest("LIST", "/v1/"+path)
|
|
|
|
|
// Set this for broader compatibility, but we use LIST above to be able to
|
|
|
|
|
// handle the wrapping lookup function
|
|
|
|
|
r.Method = "GET"
|
2016-01-14 19:18:27 +00:00
|
|
|
r.Params.Set("list", "true")
|
2015-09-14 19:42:12 +00:00
|
|
|
resp, err := c.c.RawRequest(r)
|
2015-09-14 21:30:42 +00:00
|
|
|
if resp != nil {
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
}
|
2015-09-14 19:42:12 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
|
case io.EOF:
|
|
|
|
|
return nil, nil
|
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
|
|
|
|
return secret, nil
|
|
|
|
|
}
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, nil
|
2015-09-14 19:42:12 +00:00
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-06 16:53:43 +00:00
|
|
|
func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error) {
|
2015-03-16 02:47:32 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/"+path)
|
|
|
|
|
if err := r.SetJSONBody(data); err != nil {
|
2015-04-06 16:53:43 +00:00
|
|
|
return nil, err
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resp, err := c.c.RawRequest(r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
}
|
2018-04-04 02:35:45 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
|
case io.EOF:
|
|
|
|
|
return nil, nil
|
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
2018-04-04 08:41:46 +00:00
|
|
|
return secret, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-03-16 02:47:32 +00:00
|
|
|
if err != nil {
|
2015-04-06 16:53:43 +00:00
|
|
|
return nil, err
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
|
|
|
|
|
2015-04-06 16:53:43 +00:00
|
|
|
if resp.StatusCode == 200 {
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil, nil
|
2015-03-16 02:47:32 +00:00
|
|
|
}
|
2015-04-07 18:04:56 +00:00
|
|
|
|
|
|
|
|
func (c *Logical) Delete(path string) (*Secret, error) {
|
|
|
|
|
r := c.c.NewRequest("DELETE", "/v1/"+path)
|
|
|
|
|
resp, err := c.c.RawRequest(r)
|
2015-09-14 22:22:33 +00:00
|
|
|
if resp != nil {
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
}
|
2018-04-04 02:35:45 +00:00
|
|
|
if resp != nil && resp.StatusCode == 404 {
|
2018-04-04 08:41:46 +00:00
|
|
|
secret, parseErr := ParseSecret(resp.Body)
|
|
|
|
|
switch parseErr {
|
2018-04-04 02:35:45 +00:00
|
|
|
case nil:
|
|
|
|
|
case io.EOF:
|
|
|
|
|
return nil, nil
|
|
|
|
|
default:
|
2018-04-04 07:50:24 +00:00
|
|
|
return nil, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
|
2018-04-04 08:41:46 +00:00
|
|
|
return secret, err
|
2018-04-04 02:35:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-04-07 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-07 18:15:20 +00:00
|
|
|
if resp.StatusCode == 200 {
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil, nil
|
2015-04-07 18:04:56 +00:00
|
|
|
}
|
2016-05-27 21:01:42 +00:00
|
|
|
|
|
|
|
|
func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
|
2016-09-29 04:01:28 +00:00
|
|
|
var data map[string]interface{}
|
2016-11-08 16:36:15 +00:00
|
|
|
if wrappingToken != "" {
|
|
|
|
|
if c.c.Token() == "" {
|
|
|
|
|
c.c.SetToken(wrappingToken)
|
|
|
|
|
} else if wrappingToken != c.c.Token() {
|
|
|
|
|
data = map[string]interface{}{
|
|
|
|
|
"token": wrappingToken,
|
|
|
|
|
}
|
2016-09-29 04:01:28 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r := c.c.NewRequest("PUT", "/v1/sys/wrapping/unwrap")
|
|
|
|
|
if err := r.SetJSONBody(data); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2016-05-27 21:01:42 +00:00
|
|
|
|
2016-09-29 04:01:28 +00:00
|
|
|
resp, err := c.c.RawRequest(r)
|
2016-12-01 21:38:08 +00:00
|
|
|
if resp != nil {
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
}
|
2018-04-03 21:11:01 +00:00
|
|
|
|
|
|
|
|
// Return all errors except those that are from a 404 as we handle the not
|
|
|
|
|
// found error as a special case.
|
|
|
|
|
if err != nil && (resp == nil || resp.StatusCode != 404) {
|
|
|
|
|
return nil, err
|
2016-12-01 21:38:08 +00:00
|
|
|
}
|
2016-11-29 21:50:07 +00:00
|
|
|
if resp == nil {
|
|
|
|
|
return nil, nil
|
2016-09-29 04:01:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch resp.StatusCode {
|
|
|
|
|
case http.StatusOK: // New method is supported
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
|
case http.StatusNotFound: // Fall back to old method
|
|
|
|
|
default:
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-10-18 13:51:45 +00:00
|
|
|
if wrappingToken != "" {
|
2016-09-29 04:01:28 +00:00
|
|
|
origToken := c.c.Token()
|
|
|
|
|
defer c.c.SetToken(origToken)
|
|
|
|
|
c.c.SetToken(wrappingToken)
|
|
|
|
|
}
|
2016-05-27 21:01:42 +00:00
|
|
|
|
|
|
|
|
secret, err := c.Read(wrappedResponseLocation)
|
|
|
|
|
if err != nil {
|
2018-04-05 15:49:21 +00:00
|
|
|
return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
|
2016-05-27 21:01:42 +00:00
|
|
|
}
|
|
|
|
|
if secret == nil {
|
2018-04-05 15:49:21 +00:00
|
|
|
return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
|
2016-05-27 21:01:42 +00:00
|
|
|
}
|
|
|
|
|
if secret.Data == nil {
|
|
|
|
|
return nil, fmt.Errorf("\"data\" not found in wrapping response")
|
|
|
|
|
}
|
|
|
|
|
if _, ok := secret.Data["response"]; !ok {
|
|
|
|
|
return nil, fmt.Errorf("\"response\" not found in wrapping response \"data\" map")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
wrappedSecret := new(Secret)
|
|
|
|
|
buf := bytes.NewBufferString(secret.Data["response"].(string))
|
2016-07-06 16:25:40 +00:00
|
|
|
if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
|
2018-04-05 15:49:21 +00:00
|
|
|
return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
|
2016-05-27 21:01:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return wrappedSecret, nil
|
|
|
|
|
}
|
