open-vault/http/handler.go

226 lines
6.1 KiB
Go
Raw Normal View History

2015-03-12 06:05:16 +00:00
package http
import (
"encoding/json"
"fmt"
"io"
2015-03-12 06:05:16 +00:00
"net/http"
2015-04-19 20:18:09 +00:00
"net/url"
2015-04-03 05:21:33 +00:00
"strings"
2015-03-12 06:05:16 +00:00
"github.com/hashicorp/errwrap"
2015-03-29 23:14:54 +00:00
"github.com/hashicorp/vault/logical"
2015-03-12 06:05:16 +00:00
"github.com/hashicorp/vault/vault"
)
// AuthHeaderName is the name of the header containing the token.
const AuthHeaderName = "X-Vault-Token"
2015-03-12 06:05:16 +00:00
// Handler returns an http.Handler for the API. This can be used on
// its own to mount the Vault API within another web server.
func Handler(core *vault.Core) http.Handler {
2015-04-03 05:21:33 +00:00
// Create the muxer to handle the actual endpoints
2015-03-12 06:05:16 +00:00
mux := http.NewServeMux()
2015-03-12 19:37:41 +00:00
mux.Handle("/v1/sys/init", handleSysInit(core))
2015-03-12 17:47:31 +00:00
mux.Handle("/v1/sys/seal-status", handleSysSealStatus(core))
mux.Handle("/v1/sys/seal", handleSysSeal(core))
mux.Handle("/v1/sys/step-down", handleSysStepDown(core))
2015-03-12 17:47:31 +00:00
mux.Handle("/v1/sys/unseal", handleSysUnseal(core))
mux.Handle("/v1/sys/renew/", handleLogical(core, false, nil))
2015-04-20 18:59:24 +00:00
mux.Handle("/v1/sys/leader", handleSysLeader(core))
2015-04-23 18:53:31 +00:00
mux.Handle("/v1/sys/health", handleSysHealth(core))
2016-01-15 15:55:35 +00:00
mux.Handle("/v1/sys/generate-root/attempt", handleSysGenerateRootAttempt(core))
mux.Handle("/v1/sys/generate-root/update", handleSysGenerateRootUpdate(core))
2015-05-28 21:28:50 +00:00
mux.Handle("/v1/sys/rekey/init", handleSysRekeyInit(core))
mux.Handle("/v1/sys/rekey/update", handleSysRekeyUpdate(core))
mux.Handle("/v1/sys/capabilities-self", handleLogical(core, true, sysCapabilitiesCallback))
mux.Handle("/v1/sys/", handleLogical(core, true, nil))
mux.Handle("/v1/", handleLogical(core, false, nil))
2015-04-03 05:21:33 +00:00
// Wrap the handler in another handler to trigger all help paths.
handler := handleHelpHandler(mux, core)
return handler
}
func sysCapabilitiesCallback(req *logical.Request) error {
req.Data["token"] = req.ClientToken
return nil
}
2015-04-03 05:21:33 +00:00
// stripPrefix is a helper to strip a prefix from the path. It will
// return false from the second return value if it the prefix doesn't exist.
func stripPrefix(prefix, path string) (string, bool) {
if !strings.HasPrefix(path, prefix) {
return "", false
}
path = path[len(prefix):]
if path == "" {
return "", false
}
return path, true
2015-03-12 06:05:16 +00:00
}
func parseRequest(r *http.Request, out interface{}) error {
dec := json.NewDecoder(r.Body)
err := dec.Decode(out)
if err != nil && err != io.EOF {
return fmt.Errorf("Failed to parse JSON input: %s", err)
}
return err
2015-03-12 06:05:16 +00:00
}
2015-04-08 18:19:03 +00:00
// request is a helper to perform a request and properly exit in the
// case of an error.
2015-04-19 21:36:50 +00:00
func request(core *vault.Core, w http.ResponseWriter, rawReq *http.Request, r *logical.Request) (*logical.Response, bool) {
2015-04-08 18:19:03 +00:00
resp, err := core.HandleRequest(r)
2015-04-19 20:18:09 +00:00
if err == vault.ErrStandby {
2015-04-19 21:36:50 +00:00
respondStandby(core, w, rawReq.URL)
2015-04-19 20:18:09 +00:00
return resp, false
}
if respondCommon(w, resp, err) {
2015-04-08 18:19:03 +00:00
return resp, false
}
if err != nil {
respondErrorStatus(w, err)
2015-04-08 18:19:03 +00:00
return resp, false
}
return resp, true
}
2015-04-19 20:18:09 +00:00
// respondStandby is used to trigger a redirect in the case that this Vault is currently a hot standby
func respondStandby(core *vault.Core, w http.ResponseWriter, reqURL *url.URL) {
// Request the leader address
_, advertise, err := core.Leader()
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
// If there is no leader, generate a 503 error
if advertise == "" {
err = fmt.Errorf("no active Vault instance found")
respondError(w, http.StatusServiceUnavailable, err)
return
}
// Parse the advertise location
advertiseURL, err := url.Parse(advertise)
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
// Generate a redirect URL
redirectURL := url.URL{
Scheme: advertiseURL.Scheme,
Host: advertiseURL.Host,
Path: reqURL.Path,
RawQuery: reqURL.RawQuery,
}
// Ensure there is a scheme, default to https
if redirectURL.Scheme == "" {
redirectURL.Scheme = "https"
}
// If we have an address, redirect! We use a 307 code
// because we don't actually know if its permanent and
// the request method should be preserved.
w.Header().Set("Location", redirectURL.String())
w.WriteHeader(307)
}
2015-03-29 23:14:54 +00:00
// requestAuth adds the token to the logical.Request if it exists.
func requestAuth(r *http.Request, req *logical.Request) *logical.Request {
// Attach the header value if we have it
if v := r.Header.Get(AuthHeaderName); v != "" {
req.ClientToken = v
}
2015-03-29 23:14:54 +00:00
return req
}
// Determines the type of the error being returned and sets the HTTP
// status code appropriately
func respondErrorStatus(w http.ResponseWriter, err error) {
status := http.StatusInternalServerError
switch {
// Keep adding more error types here to appropriate the status codes
2016-03-09 02:47:24 +00:00
case errwrap.ContainsType(err, new(vault.StatusBadRequest)):
status = http.StatusBadRequest
}
respondError(w, status, err)
}
2015-03-12 06:05:16 +00:00
func respondError(w http.ResponseWriter, status int, err error) {
2015-05-19 07:59:19 +00:00
// Adjust status code when sealed
if err == vault.ErrSealed {
status = http.StatusServiceUnavailable
}
// Allow HTTPCoded error passthrough to specify a code
if t, ok := err.(logical.HTTPCodedError); ok {
status = t.Code()
}
2015-03-12 06:05:16 +00:00
w.Header().Add("Content-Type", "application/json")
w.WriteHeader(status)
resp := &ErrorResponse{Errors: make([]string, 0, 1)}
if err != nil {
resp.Errors = append(resp.Errors, err.Error())
}
enc := json.NewEncoder(w)
enc.Encode(resp)
}
func respondCommon(w http.ResponseWriter, resp *logical.Response, err error) bool {
if resp == nil {
return false
}
if resp.IsError() {
var statusCode int
switch err {
case logical.ErrPermissionDenied:
statusCode = http.StatusForbidden
case logical.ErrUnsupportedOperation:
statusCode = http.StatusMethodNotAllowed
case logical.ErrUnsupportedPath:
statusCode = http.StatusNotFound
case logical.ErrInvalidRequest:
statusCode = http.StatusBadRequest
default:
statusCode = http.StatusBadRequest
}
err := fmt.Errorf("%s", resp.Data["error"].(string))
respondError(w, statusCode, err)
return true
}
return false
}
2015-03-12 06:05:16 +00:00
func respondOk(w http.ResponseWriter, body interface{}) {
w.Header().Add("Content-Type", "application/json")
if body == nil {
w.WriteHeader(http.StatusNoContent)
} else {
w.WriteHeader(http.StatusOK)
enc := json.NewEncoder(w)
enc.Encode(body)
}
}
type ErrorResponse struct {
Errors []string `json:"errors"`
}