open-vault/http/logical.go

267 lines
6.5 KiB
Go
Raw Normal View History

package http
import (
2015-04-07 21:36:17 +00:00
"io"
"net"
"net/http"
"strconv"
"strings"
"time"
"github.com/hashicorp/errwrap"
2016-07-26 19:50:37 +00:00
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/vault"
)
2016-09-29 04:01:28 +00:00
type PrepareRequestFunc func(*vault.Core, *logical.Request) error
func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) (*logical.Request, int, error) {
// Determine the path...
if !strings.HasPrefix(r.URL.Path, "/v1/") {
return nil, http.StatusNotFound, nil
}
path := r.URL.Path[len("/v1/"):]
if path == "" {
return nil, http.StatusNotFound, nil
}
// Determine the operation
var op logical.Operation
switch r.Method {
case "DELETE":
op = logical.DeleteOperation
case "GET":
op = logical.ReadOperation
// Need to call ParseForm to get query params loaded
queryVals := r.URL.Query()
listStr := queryVals.Get("list")
if listStr != "" {
list, err := strconv.ParseBool(listStr)
2015-04-07 21:36:17 +00:00
if err != nil {
return nil, http.StatusBadRequest, nil
}
if list {
op = logical.ListOperation
}
}
case "POST", "PUT":
op = logical.UpdateOperation
case "LIST":
op = logical.ListOperation
2017-06-17 04:04:55 +00:00
case "OPTIONS":
default:
return nil, http.StatusMethodNotAllowed, nil
}
if op == logical.ListOperation {
if !strings.HasSuffix(path, "/") {
path += "/"
}
}
// Parse the request if we can
var data map[string]interface{}
if op == logical.UpdateOperation {
err := parseRequest(r, w, &data)
if err == io.EOF {
data = nil
err = nil
}
if err != nil {
return nil, http.StatusBadRequest, err
}
}
var err error
2016-07-26 19:50:37 +00:00
request_id, err := uuid.GenerateUUID()
if err != nil {
return nil, http.StatusBadRequest, errwrap.Wrapf("failed to generate identifier for the request: {{err}}", err)
}
req := requestAuth(core, r, &logical.Request{
2016-07-26 20:44:50 +00:00
ID: request_id,
Operation: op,
Path: path,
Data: data,
Connection: getConnection(r),
Headers: r.Header,
})
2017-01-04 21:44:03 +00:00
req, err = requestWrapInfo(r, req)
if err != nil {
return nil, http.StatusBadRequest, errwrap.Wrapf("error parsing X-Vault-Wrap-TTL header: {{err}}", err)
}
return req, 0, nil
}
func handleLogical(core *vault.Core, injectDataIntoTopLevel bool, prepareRequestCallback PrepareRequestFunc) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
req, statusCode, err := buildLogicalRequest(core, w, r)
if err != nil || statusCode != 0 {
respondError(w, statusCode, err)
return
}
2016-05-19 17:33:51 +00:00
// Certain endpoints may require changes to the request object. They
// will have a callback registered to do the needed operations, so
// invoke it before proceeding.
if prepareRequestCallback != nil {
2016-09-29 04:01:28 +00:00
if err := prepareRequestCallback(core, req); err != nil {
respondError(w, http.StatusBadRequest, err)
return
}
}
// Make the internal request. We attach the connection info
// as well in case this is an authentication request that requires
// it. Vault core handles stripping this if we need to. This also
// handles all error cases; if we hit respondLogical, the request is a
// success.
resp, ok := request(core, w, r, req)
2015-04-08 18:19:03 +00:00
if !ok {
return
}
2015-04-14 00:21:31 +00:00
// Build the proper response
respondLogical(w, r, req, injectDataIntoTopLevel, resp)
2015-04-14 00:21:31 +00:00
})
}
func respondLogical(w http.ResponseWriter, r *http.Request, req *logical.Request, injectDataIntoTopLevel bool, resp *logical.Response) {
2016-08-08 15:55:24 +00:00
var httpResp *logical.HTTPResponse
var ret interface{}
2015-04-14 00:21:31 +00:00
if resp != nil {
if resp.Redirect != "" {
// If we have a redirect, redirect! We use a 307 code
2015-04-14 00:21:31 +00:00
// because we don't actually know if its permanent.
http.Redirect(w, r, resp.Redirect, 307)
return
}
2015-05-27 21:10:00 +00:00
// Check if this is a raw response
2016-09-29 04:01:28 +00:00
if _, ok := resp.Data[logical.HTTPStatusCode]; ok {
respondRaw(w, r, resp)
2015-05-27 21:10:00 +00:00
return
}
if resp.WrapInfo != nil && resp.WrapInfo.Token != "" {
2016-08-08 15:55:24 +00:00
httpResp = &logical.HTTPResponse{
WrapInfo: &logical.HTTPWrapInfo{
Token: resp.WrapInfo.Token,
2017-11-13 20:31:32 +00:00
Accessor: resp.WrapInfo.Accessor,
TTL: int(resp.WrapInfo.TTL.Seconds()),
CreationTime: resp.WrapInfo.CreationTime.Format(time.RFC3339Nano),
CreationPath: resp.WrapInfo.CreationPath,
WrappedAccessor: resp.WrapInfo.WrappedAccessor,
},
}
} else {
2016-09-29 19:03:47 +00:00
httpResp = logical.LogicalResponseToHTTPResponse(resp)
2016-08-08 15:55:24 +00:00
httpResp.RequestID = req.ID
}
ret = httpResp
if injectDataIntoTopLevel {
2016-08-08 15:55:24 +00:00
injector := logical.HTTPSysInjector{
Response: httpResp,
}
ret = injector
}
2015-04-14 00:21:31 +00:00
}
// Respond
2016-08-08 15:55:24 +00:00
respondOk(w, ret)
return
}
2015-05-27 21:10:00 +00:00
// respondRaw is used when the response is using HTTPContentType and HTTPRawBody
// to change the default response handling. This is only used for specific things like
// returning the CRL information on the PKI backends.
2016-09-29 04:01:28 +00:00
func respondRaw(w http.ResponseWriter, r *http.Request, resp *logical.Response) {
retErr := func(w http.ResponseWriter, err string) {
w.Header().Set("X-Vault-Raw-Error", err)
w.WriteHeader(http.StatusInternalServerError)
w.Write(nil)
}
2015-05-27 21:10:00 +00:00
// Ensure this is never a secret or auth response
if resp.Secret != nil || resp.Auth != nil {
2016-09-29 04:01:28 +00:00
retErr(w, "raw responses cannot contain secrets or auth")
2015-05-27 21:10:00 +00:00
return
}
// Get the status code
statusRaw, ok := resp.Data[logical.HTTPStatusCode]
if !ok {
2016-09-29 04:01:28 +00:00
retErr(w, "no status code given")
2015-05-27 21:10:00 +00:00
return
}
status, ok := statusRaw.(int)
if !ok {
2016-09-29 04:01:28 +00:00
retErr(w, "cannot decode status code")
2015-05-27 21:10:00 +00:00
return
}
2016-09-29 04:01:28 +00:00
nonEmpty := status != http.StatusNoContent
var contentType string
var body []byte
// Get the content type header; don't require it if the body is empty
2015-05-27 21:10:00 +00:00
contentTypeRaw, ok := resp.Data[logical.HTTPContentType]
if !ok && nonEmpty {
2016-09-29 04:01:28 +00:00
retErr(w, "no content type given")
2015-05-27 21:10:00 +00:00
return
}
2016-09-29 04:01:28 +00:00
if ok {
contentType, ok = contentTypeRaw.(string)
if !ok {
retErr(w, "cannot decode content type")
return
}
2015-05-27 21:10:00 +00:00
}
2016-09-29 04:01:28 +00:00
if nonEmpty {
// Get the body
bodyRaw, ok := resp.Data[logical.HTTPRawBody]
if !ok {
retErr(w, "no body given")
return
}
body, ok = bodyRaw.([]byte)
if !ok {
retErr(w, "cannot decode body")
return
}
2015-05-27 21:10:00 +00:00
}
// Write the response
2016-09-29 04:01:28 +00:00
if contentType != "" {
w.Header().Set("Content-Type", contentType)
}
2015-05-27 21:10:00 +00:00
w.WriteHeader(status)
w.Write(body)
}
// getConnection is used to format the connection information for
// attaching to a logical request
func getConnection(r *http.Request) (connection *logical.Connection) {
var remoteAddr string
remoteAddr, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
remoteAddr = ""
}
connection = &logical.Connection{
RemoteAddr: remoteAddr,
ConnState: r.TLS,
}
return
}