open-vault/vault/router.go

677 lines
19 KiB
Go
Raw Normal View History

2015-03-06 01:23:56 +00:00
package vault
import (
"context"
2015-03-06 01:23:56 +00:00
"fmt"
"strings"
"sync"
"sync/atomic"
2015-04-08 23:43:17 +00:00
"time"
2015-03-06 01:23:56 +00:00
2015-04-08 23:43:17 +00:00
"github.com/armon/go-metrics"
2015-03-06 01:23:56 +00:00
"github.com/armon/go-radix"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/salt"
"github.com/hashicorp/vault/logical"
2015-03-06 01:23:56 +00:00
)
var (
whitelistedHeaders = []string{
consts.VaultKVCLIClientHeader,
}
)
2015-03-06 01:23:56 +00:00
// Router is used to do prefix based routing of a request to a logical backend
type Router struct {
l sync.RWMutex
root *radix.Tree
mountUUIDCache *radix.Tree
mountAccessorCache *radix.Tree
tokenStoreSaltFunc func(context.Context) (*salt.Salt, error)
// storagePrefix maps the prefix used for storage (ala the BarrierView)
// to the backend. This is used to map a key back into the backend that owns it.
// For example, logical/uuid1/foobar -> secrets/ (kv backend) + foobar
storagePrefix *radix.Tree
2015-03-06 01:23:56 +00:00
}
// NewRouter returns a new router
func NewRouter() *Router {
r := &Router{
root: radix.New(),
storagePrefix: radix.New(),
mountUUIDCache: radix.New(),
mountAccessorCache: radix.New(),
2015-03-06 01:23:56 +00:00
}
return r
}
// routeEntry is used to represent a mount point in the router
type routeEntry struct {
2017-10-23 18:59:37 +00:00
tainted bool
backend logical.Backend
mountEntry *MountEntry
storageView logical.Storage
storagePrefix string
rootPaths atomic.Value
loginPaths atomic.Value
l sync.RWMutex
2015-03-06 01:23:56 +00:00
}
type validateMountResponse struct {
MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"`
MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor"`
MountPath string `json:"mount_path" structs:"mount_path" mapstructure:"mount_path"`
}
// validateMountByAccessor returns the mount type and ID for a given mount
// accessor
func (r *Router) validateMountByAccessor(accessor string) *validateMountResponse {
if accessor == "" {
return nil
}
mountEntry := r.MatchingMountByAccessor(accessor)
if mountEntry == nil {
return nil
}
mountPath := mountEntry.Path
if mountEntry.Table == credentialTableType {
mountPath = credentialRoutePrefix + mountPath
}
return &validateMountResponse{
MountAccessor: mountEntry.Accessor,
MountType: mountEntry.Type,
MountPath: mountPath,
}
}
2016-05-15 16:58:36 +00:00
// SaltID is used to apply a salt and hash to an ID to make sure its not reversible
func (re *routeEntry) SaltID(id string) string {
return salt.SaltID(re.mountEntry.UUID, id, salt.SHA1Hash)
}
// Mount is used to expose a logical backend at a given prefix, using a unique salt,
// and the barrier view for that path.
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error {
2015-03-06 01:23:56 +00:00
r.l.Lock()
defer r.l.Unlock()
// Check if this is a nested mount
if existing, _, ok := r.root.LongestPrefix(prefix); ok && existing != "" {
return fmt.Errorf("cannot mount under existing mount '%s'", existing)
}
2015-03-31 00:46:18 +00:00
// Build the paths
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 05:02:03 +00:00
paths := new(logical.Paths)
if backend != nil {
specialPaths := backend.SpecialPaths()
if specialPaths != nil {
paths = specialPaths
}
2015-03-06 01:23:56 +00:00
}
// Create a mount entry
re := &routeEntry{
2017-10-23 18:59:37 +00:00
tainted: false,
backend: backend,
mountEntry: mountEntry,
storagePrefix: storageView.prefix,
2018-03-20 14:42:57 +00:00
storageView: storageView,
2015-03-06 01:23:56 +00:00
}
re.rootPaths.Store(pathsToRadix(paths.Root))
re.loginPaths.Store(pathsToRadix(paths.Unauthenticated))
switch {
case prefix == "":
return fmt.Errorf("missing prefix to be used for router entry; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
2017-10-23 18:59:37 +00:00
case re.storagePrefix == "":
return fmt.Errorf("missing storage view prefix; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
case re.mountEntry.UUID == "":
return fmt.Errorf("missing mount identifier; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
case re.mountEntry.Accessor == "":
return fmt.Errorf("missing mount accessor; mount_path: %q, mount_type: %q", re.mountEntry.Path, re.mountEntry.Type)
}
r.root.Insert(prefix, re)
2017-10-23 18:59:37 +00:00
r.storagePrefix.Insert(re.storagePrefix, re)
2017-06-17 03:54:19 +00:00
r.mountUUIDCache.Insert(re.mountEntry.UUID, re.mountEntry)
r.mountAccessorCache.Insert(re.mountEntry.Accessor, re.mountEntry)
2015-03-06 01:23:56 +00:00
return nil
}
// Unmount is used to remove a logical backend from a given prefix
func (r *Router) Unmount(ctx context.Context, prefix string) error {
2015-03-06 01:23:56 +00:00
r.l.Lock()
defer r.l.Unlock()
// Fast-path out if the backend doesn't exist
raw, ok := r.root.Get(prefix)
if !ok {
return nil
}
// Call backend's Cleanup routine
re := raw.(*routeEntry)
2017-10-23 18:59:37 +00:00
if re.backend != nil {
re.backend.Cleanup(ctx)
2017-10-23 18:59:37 +00:00
}
// Purge from the radix trees
2015-03-06 01:23:56 +00:00
r.root.Delete(prefix)
2017-10-23 18:59:37 +00:00
r.storagePrefix.Delete(re.storagePrefix)
2017-06-17 03:54:19 +00:00
r.mountUUIDCache.Delete(re.mountEntry.UUID)
r.mountAccessorCache.Delete(re.mountEntry.Accessor)
2015-03-06 01:23:56 +00:00
return nil
}
// Remount is used to change the mount location of a logical backend
func (r *Router) Remount(src, dst string) error {
r.l.Lock()
defer r.l.Unlock()
// Check for existing mount
raw, ok := r.root.Get(src)
if !ok {
return fmt.Errorf("no mount at '%s'", src)
}
// Update the mount point
r.root.Delete(src)
r.root.Insert(dst, raw)
return nil
}
2015-04-02 18:12:13 +00:00
// Taint is used to mark a path as tainted. This means only RollbackOperation
2016-03-01 01:29:04 +00:00
// RevokeOperation requests are allowed to proceed
2015-04-02 18:12:13 +00:00
func (r *Router) Taint(path string) error {
r.l.Lock()
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = true
2015-04-02 18:12:13 +00:00
}
return nil
}
2015-04-02 19:01:53 +00:00
// Untaint is used to unmark a path as tainted.
func (r *Router) Untaint(path string) error {
r.l.Lock()
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = false
2015-04-02 19:01:53 +00:00
}
return nil
}
2017-06-17 03:54:19 +00:00
func (r *Router) MatchingMountByUUID(mountID string) *MountEntry {
if mountID == "" {
return nil
}
r.l.RLock()
defer r.l.RUnlock()
2017-06-17 03:54:19 +00:00
_, raw, ok := r.mountUUIDCache.LongestPrefix(mountID)
if !ok {
return nil
}
return raw.(*MountEntry)
}
// MatchingMountByAccessor returns the MountEntry by accessor lookup
func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry {
if mountAccessor == "" {
return nil
}
r.l.RLock()
defer r.l.RUnlock()
_, raw, ok := r.mountAccessorCache.LongestPrefix(mountAccessor)
if !ok {
return nil
}
return raw.(*MountEntry)
}
2015-04-02 18:03:59 +00:00
// MatchingMount returns the mount prefix that would be used for a path
func (r *Router) MatchingMount(path string) string {
r.l.RLock()
2017-11-06 20:29:09 +00:00
defer r.l.RUnlock()
var mount = r.matchingMountInternal(path)
return mount
}
func (r *Router) matchingMountInternal(path string) string {
mount, _, ok := r.root.LongestPrefix(path)
if !ok {
return ""
}
return mount
}
2017-11-06 20:29:09 +00:00
// matchingPrefixInternal returns a mount prefix that a path may be a part of
func (r *Router) matchingPrefixInternal(path string) string {
var existing string = ""
fn := func(existing_path string, _v interface{}) bool {
if strings.HasPrefix(existing_path, path) {
existing = existing_path
return true
}
return false
}
r.root.WalkPrefix(path, fn)
return existing
}
// MountConflict determines if there are potential path conflicts
func (r *Router) MountConflict(path string) string {
r.l.RLock()
defer r.l.RUnlock()
if exact_match := r.matchingMountInternal(path); exact_match != "" {
return exact_match
}
if prefix_match := r.matchingPrefixInternal(path); prefix_match != "" {
return prefix_match
}
return ""
}
2017-10-23 18:59:37 +00:00
// MatchingStorageByAPIPath/StoragePath returns the storage used for
// API/Storage paths respectively
func (r *Router) MatchingStorageByAPIPath(path string) logical.Storage {
return r.matchingStorage(path, true)
}
func (r *Router) MatchingStorageByStoragePath(path string) logical.Storage {
return r.matchingStorage(path, false)
}
func (r *Router) matchingStorage(path string, apiPath bool) logical.Storage {
var raw interface{}
var ok bool
2015-04-02 18:03:59 +00:00
r.l.RLock()
2017-10-23 18:59:37 +00:00
if apiPath {
_, raw, ok = r.root.LongestPrefix(path)
} else {
_, raw, ok = r.storagePrefix.LongestPrefix(path)
}
2015-04-02 18:03:59 +00:00
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).storageView
}
// MatchingMountEntry returns the MountEntry used for a path
func (r *Router) MatchingMountEntry(path string) *MountEntry {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).mountEntry
}
// MatchingBackend returns the backend used for a path
func (r *Router) MatchingBackend(path string) logical.Backend {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).backend
}
// MatchingSystemView returns the SystemView used for a path
func (r *Router) MatchingSystemView(path string) logical.SystemView {
r.l.RLock()
_, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return nil
}
return raw.(*routeEntry).backend.System()
2015-04-02 18:03:59 +00:00
}
2017-10-23 18:59:37 +00:00
// MatchingStoragePrefixByAPIPath/StoragePath returns the mount path matching
// and storage prefix matching the given API/Storage path respectively
func (r *Router) MatchingStoragePrefixByAPIPath(path string) (string, string, bool) {
return r.matchingStoragePrefix(path, true)
}
func (r *Router) MatchingStoragePrefixByStoragePath(path string) (string, string, bool) {
return r.matchingStoragePrefix(path, false)
}
func (r *Router) matchingStoragePrefix(path string, apiPath bool) (string, string, bool) {
var raw interface{}
var ok bool
r.l.RLock()
2017-10-23 18:59:37 +00:00
if apiPath {
_, raw, ok = r.root.LongestPrefix(path)
} else {
_, raw, ok = r.storagePrefix.LongestPrefix(path)
}
r.l.RUnlock()
if !ok {
return "", "", false
}
// Extract the mount path and storage prefix
re := raw.(*routeEntry)
mountPath := re.mountEntry.Path
2017-10-23 18:59:37 +00:00
prefix := re.storagePrefix
// Add back the prefix for credential backends
2017-10-23 18:59:37 +00:00
if !apiPath && strings.HasPrefix(path, credentialBarrierPrefix) {
mountPath = credentialRoutePrefix + mountPath
}
return mountPath, prefix, true
}
2015-03-06 01:23:56 +00:00
// Route is used to route a given request
func (r *Router) Route(ctx context.Context, req *logical.Request) (*logical.Response, error) {
resp, _, _, err := r.routeCommon(ctx, req, false)
return resp, err
}
// Route is used to route a given existence check request
func (r *Router) RouteExistenceCheck(ctx context.Context, req *logical.Request) (bool, bool, error) {
_, ok, exists, err := r.routeCommon(ctx, req, true)
2016-01-12 20:09:16 +00:00
return ok, exists, err
}
func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenceCheck bool) (*logical.Response, bool, bool, error) {
2015-03-06 01:23:56 +00:00
// Find the mount point
r.l.RLock()
adjustedPath := req.Path
mount, raw, ok := r.root.LongestPrefix(adjustedPath)
if !ok && !strings.HasSuffix(adjustedPath, "/") {
// Re-check for a backend by appending a slash. This lets "foo" mean
// "foo/" at the root level which is almost always what we want.
adjustedPath += "/"
mount, raw, ok = r.root.LongestPrefix(adjustedPath)
}
2015-03-06 01:23:56 +00:00
r.l.RUnlock()
if !ok {
2016-01-12 20:09:16 +00:00
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
2015-03-06 01:23:56 +00:00
}
req.Path = adjustedPath
defer metrics.MeasureSince([]string{"route", string(req.Operation),
strings.Replace(mount, "/", "-", -1)}, time.Now())
re := raw.(*routeEntry)
2015-03-06 01:23:56 +00:00
// Grab a read lock on the route entry, this protects against the backend
// being reloaded during a request.
re.l.RLock()
defer re.l.RUnlock()
2017-10-23 18:59:37 +00:00
// Filtered mounts will have a nil backend
if re.backend == nil {
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
}
2015-04-02 18:12:13 +00:00
// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if re.tainted {
2015-04-02 18:12:13 +00:00
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default:
2016-01-12 20:09:16 +00:00
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
2015-04-02 18:12:13 +00:00
}
}
// Adjust the path to exclude the routing prefix
2016-09-29 04:01:28 +00:00
originalPath := req.Path
2015-03-06 01:23:56 +00:00
req.Path = strings.TrimPrefix(req.Path, mount)
req.MountPoint = mount
Create unified aws auth backend (#2441) * Rename builtin/credential/aws-ec2 to aws The aws-ec2 authentication backend is being expanded and will become the generic aws backend. This is a small rename commit to keep the commit history clean. * Expand aws-ec2 backend to more generic aws This adds the ability to authenticate arbitrary AWS IAM principals using AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to just AWS with the expansion. * Add missing aws auth handler to CLI This was omitted from the previous commit * aws auth backend general variable name cleanup Also fixed a bug where allowed auth types weren't being checked upon login, and added tests for it. * Update docs for the aws auth backend * Refactor aws bind validation * Fix env var override in aws backend test Intent is to override the AWS environment variables with the TEST_* versions if they are set, but the reverse was happening. * Update docs on use of IAM authentication profile AWS now allows you to change the instance profile of a running instance, so the use case of "a long-lived instance that's not in an instance profile" no longer means you have to use the the EC2 auth method. You can now just change the instance profile on the fly. * Fix typo in aws auth cli help * Respond to PR feedback * More PR feedback * Respond to additional PR feedback * Address more feedback on aws auth PR * Make aws auth_type immutable per role * Address more aws auth PR feedback * Address more iam auth PR feedback * Rename aws-ec2.html.md to aws.html.md Per PR feedback, to go along with new backend name. * Add MountType to logical.Request * Make default aws auth_type dependent upon MountType When MountType is aws-ec2, default to ec2 auth_type for backwards compatibility with legacy roles. Otherwise, default to iam. * Pass MountPoint and MountType back up to the core Previously the request router reset the MountPoint and MountType back to the empty string before returning to the core. This ensures they get set back to the correct values.
2017-04-24 19:15:50 +00:00
req.MountType = re.mountEntry.Type
if req.Path == "/" {
req.Path = ""
}
// Attach the storage view for the request
req.Storage = re.storageView
originalEntityID := req.EntityID
// Allow EntityID to passthrough to the system backend. This is required to
// allow clients to generate MFA credentials in respective entity objects
// in identity store via the system backend.
switch {
case strings.HasPrefix(originalPath, "sys/"):
default:
req.EntityID = ""
}
2017-10-23 18:59:37 +00:00
// Hash the request token unless the request is being routed to the token
// or system backend.
clientToken := req.ClientToken
switch {
2016-09-29 04:01:28 +00:00
case strings.HasPrefix(originalPath, "auth/token/"):
case strings.HasPrefix(originalPath, "sys/"):
case strings.HasPrefix(originalPath, "cubbyhole/"):
// In order for the token store to revoke later, we need to have the same
// salted ID, so we double-salt what's going to the cubbyhole backend
salt, err := r.tokenStoreSaltFunc(ctx)
if err != nil {
return nil, false, false, err
}
req.ClientToken = re.SaltID(salt.SaltID(req.ClientToken))
default:
req.ClientToken = re.SaltID(req.ClientToken)
}
2015-03-06 01:23:56 +00:00
2016-02-18 16:22:04 +00:00
// Cache the pointer to the original connection object
originalConn := req.Connection
2016-07-24 01:46:28 +00:00
// Cache the identifier of the request
originalReqID := req.ID
// Cache the client token's number of uses in the request
originalClientTokenRemainingUses := req.ClientTokenRemainingUses
req.ClientTokenRemainingUses = 0
// Cache the headers
headers := req.Headers
// Filter and add passthrough headers to the backend
var passthroughRequestHeaders []string
if rawVal, ok := re.mountEntry.synthesizedConfigCache.Load("passthrough_request_headers"); ok {
passthroughRequestHeaders = rawVal.([]string)
}
req.Headers = filteredPassthroughHeaders(headers, passthroughRequestHeaders)
2017-01-04 21:44:03 +00:00
// Cache the wrap info of the request
var wrapInfo *logical.RequestWrapInfo
if req.WrapInfo != nil {
wrapInfo = &logical.RequestWrapInfo{
TTL: req.WrapInfo.TTL,
Format: req.WrapInfo.Format,
SealWrap: req.WrapInfo.SealWrap,
2017-01-04 21:44:03 +00:00
}
}
2016-09-29 04:01:28 +00:00
2015-03-06 01:23:56 +00:00
// Reset the request before returning
defer func() {
2016-09-29 04:01:28 +00:00
req.Path = originalPath
Create unified aws auth backend (#2441) * Rename builtin/credential/aws-ec2 to aws The aws-ec2 authentication backend is being expanded and will become the generic aws backend. This is a small rename commit to keep the commit history clean. * Expand aws-ec2 backend to more generic aws This adds the ability to authenticate arbitrary AWS IAM principals using AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to just AWS with the expansion. * Add missing aws auth handler to CLI This was omitted from the previous commit * aws auth backend general variable name cleanup Also fixed a bug where allowed auth types weren't being checked upon login, and added tests for it. * Update docs for the aws auth backend * Refactor aws bind validation * Fix env var override in aws backend test Intent is to override the AWS environment variables with the TEST_* versions if they are set, but the reverse was happening. * Update docs on use of IAM authentication profile AWS now allows you to change the instance profile of a running instance, so the use case of "a long-lived instance that's not in an instance profile" no longer means you have to use the the EC2 auth method. You can now just change the instance profile on the fly. * Fix typo in aws auth cli help * Respond to PR feedback * More PR feedback * Respond to additional PR feedback * Address more feedback on aws auth PR * Make aws auth_type immutable per role * Address more aws auth PR feedback * Address more iam auth PR feedback * Rename aws-ec2.html.md to aws.html.md Per PR feedback, to go along with new backend name. * Add MountType to logical.Request * Make default aws auth_type dependent upon MountType When MountType is aws-ec2, default to ec2 auth_type for backwards compatibility with legacy roles. Otherwise, default to iam. * Pass MountPoint and MountType back up to the core Previously the request router reset the MountPoint and MountType back to the empty string before returning to the core. This ensures they get set back to the correct values.
2017-04-24 19:15:50 +00:00
req.MountPoint = mount
req.MountType = re.mountEntry.Type
req.Connection = originalConn
2016-07-24 01:46:28 +00:00
req.ID = originalReqID
req.Storage = nil
2015-03-24 18:09:25 +00:00
req.ClientToken = clientToken
req.ClientTokenRemainingUses = originalClientTokenRemainingUses
2017-01-04 21:44:03 +00:00
req.WrapInfo = wrapInfo
req.Headers = headers
2017-03-01 17:39:42 +00:00
// This is only set in one place, after routing, so should never be set
// by a backend
req.SetLastRemoteWAL(0)
// This will be used for attaching the mount accessor for the identities
// returned by the authentication backends
req.MountAccessor = re.mountEntry.Accessor
req.EntityID = originalEntityID
2015-03-06 01:23:56 +00:00
}()
// Invoke the backend
if existenceCheck {
ok, exists, err := re.backend.HandleExistenceCheck(ctx, req)
2016-01-12 20:09:16 +00:00
return nil, ok, exists, err
} else {
resp, err := re.backend.HandleRequest(ctx, req)
// When a token gets renewed, the request hits this path and reaches
// token store. Token store delegates the renewal to the expiration
// manager. Expiration manager in-turn creates a different logical
// request and forwards the request to the auth backend that had
// initially authenticated the login request. The forwarding to auth
// backend will make this code path hit for the second time for the
// same renewal request. The accessors in the Alias structs should be
// of the auth backend and not of the token store. Therefore, avoiding
// the overwriting of accessors by having a check for path prefix
// having "renew". This gets applied for "renew" and "renew-self"
// requests.
if resp != nil &&
resp.Auth != nil &&
!strings.HasPrefix(req.Path, "renew") {
if resp.Auth.Alias != nil {
resp.Auth.Alias.MountAccessor = re.mountEntry.Accessor
}
for _, alias := range resp.Auth.GroupAliases {
alias.MountAccessor = re.mountEntry.Accessor
}
}
2016-01-12 20:09:16 +00:00
return resp, false, false, err
}
2015-03-06 01:23:56 +00:00
}
// RootPath checks if the given path requires root privileges
func (r *Router) RootPath(path string) bool {
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return false
}
re := raw.(*routeEntry)
2015-03-06 01:23:56 +00:00
// Trim to get remaining path
remain := strings.TrimPrefix(path, mount)
// Check the rootPaths of this backend
rootPaths := re.rootPaths.Load().(*radix.Tree)
match, raw, ok := rootPaths.LongestPrefix(remain)
2015-03-06 01:23:56 +00:00
if !ok {
return false
}
prefixMatch := raw.(bool)
// Handle the prefix match case
if prefixMatch {
return strings.HasPrefix(remain, match)
}
// Handle the exact match case
return match == remain
}
// LoginPath checks if the given path is used for logins
func (r *Router) LoginPath(path string) bool {
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(path)
r.l.RUnlock()
if !ok {
return false
}
re := raw.(*routeEntry)
// Trim to get remaining path
remain := strings.TrimPrefix(path, mount)
// Check the loginPaths of this backend
loginPaths := re.loginPaths.Load().(*radix.Tree)
match, raw, ok := loginPaths.LongestPrefix(remain)
if !ok {
return false
}
prefixMatch := raw.(bool)
// Handle the prefix match case
if prefixMatch {
return strings.HasPrefix(remain, match)
}
// Handle the exact match case
return match == remain
}
2015-03-31 00:46:18 +00:00
// pathsToRadix converts a the mapping of special paths to a mapping
// of special paths to radix trees.
func pathsToRadix(paths []string) *radix.Tree {
tree := radix.New()
for _, path := range paths {
// Check if this is a prefix or exact match
prefixMatch := len(path) >= 1 && path[len(path)-1] == '*'
if prefixMatch {
path = path[:len(path)-1]
}
2015-03-31 00:46:18 +00:00
tree.Insert(path, prefixMatch)
}
2015-03-31 00:46:18 +00:00
return tree
}
// filteredPassthroughHeaders returns a headers map[string][]string that
// contains the filtered values contained in passthroughHeaders, as well as the
// values in whitelistedHeaders. Filtering of passthroughHeaders from the
// origHeaders is done is a case-insensitive manner.
func filteredPassthroughHeaders(origHeaders map[string][]string, passthroughHeaders []string) map[string][]string {
retHeaders := make(map[string][]string)
// Handle whitelisted values
for _, header := range whitelistedHeaders {
if val, ok := origHeaders[header]; ok {
retHeaders[header] = val
} else {
// Try to check if a lowercased version of the header exists in the
// originating request. The header key that gets used is the one from the
// whitelist.
if val, ok := origHeaders[strings.ToLower(header)]; ok {
retHeaders[header] = val
}
}
}
// Short-circuit if there's nothing to filter
if len(passthroughHeaders) == 0 {
return retHeaders
}
// Create a map that uses lowercased header values as the key and the original
// header naming as the value for comparison down below.
lowerHeadersRef := make(map[string]string, len(origHeaders))
for key := range origHeaders {
lowerHeadersRef[strings.ToLower(key)] = key
}
// Case-insensitive compare of passthrough headers against originating
// headers. The returned headers will be the same casing as the originating
// header name.
for _, ph := range passthroughHeaders {
if header, ok := lowerHeadersRef[strings.ToLower(ph)]; ok {
retHeaders[header] = origHeaders[header]
}
}
return retHeaders
}