luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/wrapping.go

378 lines
11 KiB
Go
Raw Normal View History

JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
package vault
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"encoding/json"
"fmt"
"strings"
"time"
"github.com/SermoDigital/jose/crypto"
"github.com/SermoDigital/jose/jws"
"github.com/SermoDigital/jose/jwt"
"github.com/hashicorp/errwrap"
Refactor the cluster listener (#6232) * Port over OSS cluster port refactor components * Start forwarding * Cleanup a bit * Fix copy error * Return error from perf standby creation * Add some more comments * Fix copy/paste error
2019-02-15 02:14:56 +00:00
"github.com/hashicorp/vault/helper/certutil"
Port some replication bits to OSS (#2386)
2017-02-16 20:15:02 +00:00
"github.com/hashicorp/vault/helper/consts"
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
"github.com/hashicorp/vault/helper/jsonutil"
The big one (#5346)
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
"github.com/hashicorp/vault/logical"
)
const (
// The location of the key used to generate response-wrapping JWTs
coreWrappingJWTKeyPath = "core/wrapping/jwtkey"
)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
func (c *Core) ensureWrappingKey(ctx context.Context) error {
entry, err := c.barrier.Get(ctx, coreWrappingJWTKeyPath)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if err != nil {
return err
}
Refactor the cluster listener (#6232) * Port over OSS cluster port refactor components * Start forwarding * Cleanup a bit * Fix copy error * Return error from perf standby creation * Add some more comments * Fix copy/paste error
2019-02-15 02:14:56 +00:00
var keyParams certutil.ClusterKeyParams
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if entry == nil {
key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
return errwrap.Wrapf("failed to generate wrapping key: {{err}}", err)
}
keyParams.D = key.D
keyParams.X = key.X
keyParams.Y = key.Y
keyParams.Type = corePrivateKeyTypeP521
val, err := jsonutil.EncodeJSON(keyParams)
if err != nil {
return errwrap.Wrapf("failed to encode wrapping key: {{err}}", err)
}
Split SubView functionality into logical.StorageView (#6141) This lets other parts of Vault that can't depend on the vault package take advantage of the subview functionality. This also allows getting rid of BarrierStorage and vault.Entry, two totally redundant abstractions.
2019-01-31 14:25:18 +00:00
entry = &logical.StorageEntry{
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
Key: coreWrappingJWTKeyPath,
Value: val,
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
if err = c.barrier.Put(ctx, entry); err != nil {
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return errwrap.Wrapf("failed to store wrapping key: {{err}}", err)
}
}
// Redundant if we just created it, but in this case serves as a check anyways
if err = jsonutil.DecodeJSON(entry.Value, &keyParams); err != nil {
return errwrap.Wrapf("failed to decode wrapping key parameters: {{err}}", err)
}
c.wrappingJWTKey = &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: elliptic.P521(),
X: keyParams.X,
Y: keyParams.Y,
},
D: keyParams.D,
}
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Info("loaded wrapping token key")
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (c *Core) wrapInCubbyhole(ctx context.Context, req *logical.Request, resp *logical.Response, auth *logical.Auth) (*logical.Response, error) {
The big one (#5346)
2018-09-18 03:03:00 +00:00
if c.perfStandby {
return forwardWrapRequest(ctx, c, req, resp, auth)
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
// Before wrapping, obey special rules for listing: if no entries are
// found, 404. This prevents unwrapping only to find empty data.
if req.Operation == logical.ListOperation {
Allow returning warnings and other data in 404s in the Go API (#4256) * Allow returning list information and other data in 404s. On read it'll output data and/or warnings on a 404 if they exist. On list, the same behavior; the actual 'vault list' command doesn't change behavior though in terms of output unless there are no actual keys (so it doesn't just magically show other data). This corrects some assumptions in response_util and wrapping.go; it also corrects a few places in the latter where it could leak a (useless) token in some error cases. * Use same 404 logic in delete/put too * Add the same secret parsing logic to the KV request functions
2018-04-04 02:35:45 +00:00
if resp == nil || (len(resp.Data) == 0 && len(resp.Warnings) == 0) {
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, logical.ErrUnsupportedPath
}
Allow returning warnings and other data in 404s in the Go API (#4256) * Allow returning list information and other data in 404s. On read it'll output data and/or warnings on a 404 if they exist. On list, the same behavior; the actual 'vault list' command doesn't change behavior though in terms of output unless there are no actual keys (so it doesn't just magically show other data). This corrects some assumptions in response_util and wrapping.go; it also corrects a few places in the latter where it could leak a (useless) token in some error cases. * Use same 404 logic in delete/put too * Add the same secret parsing logic to the KV request functions
2018-04-04 02:35:45 +00:00
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
keysRaw, ok := resp.Data["keys"]
if !ok || keysRaw == nil {
Allow returning warnings and other data in 404s in the Go API (#4256) * Allow returning list information and other data in 404s. On read it'll output data and/or warnings on a 404 if they exist. On list, the same behavior; the actual 'vault list' command doesn't change behavior though in terms of output unless there are no actual keys (so it doesn't just magically show other data). This corrects some assumptions in response_util and wrapping.go; it also corrects a few places in the latter where it could leak a (useless) token in some error cases. * Use same 404 logic in delete/put too * Add the same secret parsing logic to the KV request functions
2018-04-04 02:35:45 +00:00
if len(resp.Data) > 0 || len(resp.Warnings) > 0 {
// We could be returning extra metadata on a list, or returning
// warnings with no data, so handle these cases
goto DONELISTHANDLING
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, logical.ErrUnsupportedPath
}
Allow returning warnings and other data in 404s in the Go API (#4256) * Allow returning list information and other data in 404s. On read it'll output data and/or warnings on a 404 if they exist. On list, the same behavior; the actual 'vault list' command doesn't change behavior though in terms of output unless there are no actual keys (so it doesn't just magically show other data). This corrects some assumptions in response_util and wrapping.go; it also corrects a few places in the latter where it could leak a (useless) token in some error cases. * Use same 404 logic in delete/put too * Add the same secret parsing logic to the KV request functions
2018-04-04 02:35:45 +00:00
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
keys, ok := keysRaw.([]string)
if !ok {
return nil, logical.ErrUnsupportedPath
}
if len(keys) == 0 {
return nil, logical.ErrUnsupportedPath
}
}
Allow returning warnings and other data in 404s in the Go API (#4256) * Allow returning list information and other data in 404s. On read it'll output data and/or warnings on a 404 if they exist. On list, the same behavior; the actual 'vault list' command doesn't change behavior though in terms of output unless there are no actual keys (so it doesn't just magically show other data). This corrects some assumptions in response_util and wrapping.go; it also corrects a few places in the latter where it could leak a (useless) token in some error cases. * Use same 404 logic in delete/put too * Add the same secret parsing logic to the KV request functions
2018-04-04 02:35:45 +00:00
DONELISTHANDLING:
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
var err error
Add ability to send seal wrap response info into cubbyhole request. (#3562) Ref 84f80db4bf499ce7345615cc2def77e7d48bc690
2017-11-09 17:47:42 +00:00
sealWrap := resp.WrapInfo.SealWrap
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
var ns *namespace.Namespace
// If we are creating a JWT wrapping token we always want them to live in
// the root namespace. These are only used for replication and plugin setup.
switch resp.WrapInfo.Format {
case "jwt":
ns = namespace.RootNamespace
ctx = namespace.ContextWithNamespace(ctx, ns)
default:
ns, err = namespace.FromContext(ctx)
if err != nil {
return nil, err
}
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
// If we are wrapping, the first part (performed in this functions) happens
// before auditing so that resp.WrapInfo.Token can contain the HMAC'd
// wrapping token ID in the audit logs, so that it can be determined from
// the audit logs whether the token was ever actually used.
creationTime := time.Now()
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := logical.TokenEntry{
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
Path: req.Path,
Policies: []string{"response-wrapping"},
CreationTime: creationTime.Unix(),
TTL: resp.WrapInfo.TTL,
NumUses: 1,
ExplicitMaxTTL: resp.WrapInfo.TTL,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: ns.ID,
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
if err := c.tokenStore.create(ctx, &te); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to create wrapping token", "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
resp.WrapInfo.Token = te.ID
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
resp.WrapInfo.Accessor = te.Accessor
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
resp.WrapInfo.CreationTime = creationTime
Store original request path in WrapInfo (#3100) * Store original request path in WrapInfo as CreationPath * Add wrapping_token_creation_path to CLI output * Add CreationPath to AuditResponseWrapInfo * Fix tests * Add and fix tests, update API docs with new sample responses
2017-08-02 22:28:58 +00:00
// If this is not a rewrap, store the request path as creation_path
if req.Path != "sys/wrapping/rewrap" {
resp.WrapInfo.CreationPath = req.Path
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if auth != nil && auth.EntityID != "" {
resp.WrapInfo.WrappedEntityID = auth.EntityID
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
// This will only be non-nil if this response contains a token, so in that
// case put the accessor in the wrap info.
if resp.Auth != nil {
resp.WrapInfo.WrappedAccessor = resp.Auth.Accessor
}
switch resp.WrapInfo.Format {
case "jwt":
// Create the JWT
claims := jws.Claims{}
Sync some changes
2017-10-23 16:50:34 +00:00
// Map the JWT ID to the token ID for ease of use
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
claims.SetJWTID(te.ID)
// Set the issue time to the creation time
claims.SetIssuedAt(creationTime)
// Set the expiration to the TTL
claims.SetExpiration(creationTime.Add(resp.WrapInfo.TTL))
if resp.Auth != nil {
claims.Set("accessor", resp.Auth.Accessor)
}
claims.Set("type", "wrapping")
claims.Set("addr", c.redirectAddr)
jwt := jws.NewJWT(claims, crypto.SigningMethodES512)
serWebToken, err := jwt.Serialize(c.wrappingJWTKey)
if err != nil {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to serialize JWT", "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
resp.WrapInfo.Token = string(serWebToken)
Sync some changes
2017-10-23 16:50:34 +00:00
if c.redirectAddr == "" {
resp.AddWarning("No redirect address set in Vault so none could be encoded in the token. You may need to supply Vault's API address when unwrapping the token.")
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
}
cubbyReq := &logical.Request{
Operation: logical.CreateOperation,
Path: "cubbyhole/response",
ClientToken: te.ID,
}
Add ability to send seal wrap response info into cubbyhole request. (#3562) Ref 84f80db4bf499ce7345615cc2def77e7d48bc690
2017-11-09 17:47:42 +00:00
if sealWrap {
cubbyReq.WrapInfo = &logical.RequestWrapInfo{
SealWrap: true,
}
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
cubbyReq.SetTokenEntry(&te)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
// During a rewrap, store the original response, don't wrap it again.
if req.Path == "sys/wrapping/rewrap" {
cubbyReq.Data = map[string]interface{}{
"response": resp.Data["response"],
}
} else {
httpResponse := logical.LogicalResponseToHTTPResponse(resp)
// Add the unique identifier of the original request to the response
httpResponse.RequestID = req.ID
// Because of the way that JSON encodes (likely just in Go) we actually get
// mixed-up values for ints if we simply put this object in the response
// and encode the whole thing; so instead we marshal it first, then store
// the string response. This actually ends up making it easier on the
// client side, too, as it becomes a straight read-string-pass-to-unmarshal
// operation.
marshaledResponse, err := json.Marshal(httpResponse)
if err != nil {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to marshal wrapped response", "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
cubbyReq.Data = map[string]interface{}{
"response": string(marshaledResponse),
}
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
cubbyResp, err := c.router.Route(ctx, cubbyReq)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if err != nil {
// Revoke since it's not yet being tracked for expiration
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to store wrapped response information", "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
if cubbyResp != nil && cubbyResp.IsError() {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to store wrapped response information", "error", cubbyResp.Data["error"])
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return cubbyResp, nil
}
// Store info for lookup
Add ability to send seal wrap response info into cubbyhole request. (#3562) Ref 84f80db4bf499ce7345615cc2def77e7d48bc690
2017-11-09 17:47:42 +00:00
cubbyReq.WrapInfo = nil
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
cubbyReq.Path = "cubbyhole/wrapinfo"
cubbyReq.Data = map[string]interface{}{
"creation_ttl": resp.WrapInfo.TTL,
"creation_time": creationTime,
}
Store original request path in WrapInfo (#3100) * Store original request path in WrapInfo as CreationPath * Add wrapping_token_creation_path to CLI output * Add CreationPath to AuditResponseWrapInfo * Fix tests * Add and fix tests, update API docs with new sample responses
2017-08-02 22:28:58 +00:00
// Store creation_path if not a rewrap
if req.Path != "sys/wrapping/rewrap" {
cubbyReq.Data["creation_path"] = req.Path
} else {
cubbyReq.Data["creation_path"] = resp.WrapInfo.CreationPath
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
cubbyResp, err = c.router.Route(ctx, cubbyReq)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if err != nil {
// Revoke since it's not yet being tracked for expiration
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to store wrapping information", "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
if cubbyResp != nil && cubbyResp.IsError() {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to store wrapping information", "error", cubbyResp.Data["error"])
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return cubbyResp, nil
}
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
wAuth := &logical.Auth{
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
ClientToken: te.ID,
Policies: []string{"response-wrapping"},
LeaseOptions: logical.LeaseOptions{
TTL: te.TTL,
Renewable: false,
},
}
// Register the wrapped token with the expiration manager
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err := c.expiration.RegisterAuth(ctx, &te, wAuth); err != nil {
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
// Revoke since it's not yet being tracked for expiration
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
c.tokenStore.revokeOrphan(ctx, te.ID)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
c.logger.Error("failed to register cubbyhole wrapping token lease", "request_path", req.Path, "error", err)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return nil, ErrInternalError
}
return nil, nil
}
Store original request path in WrapInfo (#3100) * Store original request path in WrapInfo as CreationPath * Add wrapping_token_creation_path to CLI output * Add CreationPath to AuditResponseWrapInfo * Fix tests * Add and fix tests, update API docs with new sample responses
2017-08-02 22:28:58 +00:00
// ValidateWrappingToken checks whether a token is a wrapping token.
The big one (#5346)
2018-09-18 03:03:00 +00:00
func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request) (bool, error) {
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if req == nil {
return false, fmt.Errorf("invalid request")
}
var err error
var token string
When a JWT wrapping token is returned, audit the inner token both for request and response. This makes it far easier to properly check validity elsewhere in Vault because we simply replace the request client token with the inner value.
2017-01-05 04:50:24 +00:00
var thirdParty bool
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if req.Data != nil && req.Data["token"] != nil {
When a JWT wrapping token is returned, audit the inner token both for request and response. This makes it far easier to properly check validity elsewhere in Vault because we simply replace the request client token with the inner value.
2017-01-05 04:50:24 +00:00
thirdParty = true
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if tokenStr, ok := req.Data["token"].(string); !ok {
return false, fmt.Errorf("could not decode token in request body")
} else if tokenStr == "" {
return false, fmt.Errorf("empty token in request body")
} else {
token = tokenStr
}
} else {
token = req.ClientToken
}
// Check for it being a JWT. If it is, and it is valid, we extract the
// internal client token from it and use that during lookup.
if strings.Count(token, ".") == 2 {
wt, err := jws.ParseJWT([]byte(token))
// If there's an error we simply fall back to attempting to use it as a regular token
if err == nil && wt != nil {
validator := &jwt.Validator{}
validator.SetClaim("type", "wrapping")
if err = wt.Validate(&c.wrappingJWTKey.PublicKey, crypto.SigningMethodES512, []*jwt.Validator{validator}...); err != nil {
return false, errwrap.Wrapf("wrapping token signature could not be validated: {{err}}", err)
}
token, _ = wt.Claims().JWTID()
When a JWT wrapping token is returned, audit the inner token both for request and response. This makes it far easier to properly check validity elsewhere in Vault because we simply replace the request client token with the inner value.
2017-01-05 04:50:24 +00:00
// We override the given request client token so that the rest of
// Vault sees the real value. This also ensures audit logs are
// consistent with the actual token that was issued.
if !thirdParty {
req.ClientToken = token
} else {
req.Data["token"] = token
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
}
}
if token == "" {
return false, fmt.Errorf("token is empty")
}
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 20:57:25 +00:00
if c.Sealed() {
Port some replication bits to OSS (#2386)
2017-02-16 20:15:02 +00:00
return false, consts.ErrSealed
Add read locks to LookupToken/ValidateWrappingToken (#2232)
2017-01-04 21:52:03 +00:00
}
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 20:57:25 +00:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
The big one (#5346)
2018-09-18 03:03:00 +00:00
if c.standby && !c.perfStandby {
Port some replication bits to OSS (#2386)
2017-02-16 20:15:02 +00:00
return false, consts.ErrStandby
Add read locks to LookupToken/ValidateWrappingToken (#2232)
2017-01-04 21:52:03 +00:00
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
te, err := c.tokenStore.Lookup(ctx, token)
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
if err != nil {
return false, err
}
if te == nil {
return false, nil
}
if len(te.Policies) != 1 {
return false, nil
}
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
if te.Policies[0] != responseWrappingPolicyName && te.Policies[0] != controlGroupPolicyName {
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return false, nil
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
if !thirdParty {
req.ClientTokenAccessor = te.Accessor
req.ClientTokenRemainingUses = te.NumUses
req.SetTokenEntry(te)
}
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
return true, nil
}