2015-03-16 02:34:47 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
2020-02-12 22:20:22 +00:00
|
|
|
"bufio"
|
2018-02-01 22:30:17 +00:00
|
|
|
"encoding/base64"
|
|
|
|
"encoding/json"
|
2018-09-18 03:03:00 +00:00
|
|
|
"fmt"
|
2015-04-07 21:36:17 +00:00
|
|
|
"io"
|
2021-10-13 19:24:31 +00:00
|
|
|
"mime"
|
2015-05-20 05:23:41 +00:00
|
|
|
"net"
|
2015-03-16 02:34:47 +00:00
|
|
|
"net/http"
|
2016-01-19 23:09:26 +00:00
|
|
|
"strconv"
|
2015-03-16 02:34:47 +00:00
|
|
|
"strings"
|
2016-09-23 16:32:07 +00:00
|
|
|
"time"
|
2015-03-16 02:34:47 +00:00
|
|
|
|
2020-02-07 08:30:25 +00:00
|
|
|
uuid "github.com/hashicorp/go-uuid"
|
2018-09-18 03:03:00 +00:00
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
2019-10-17 19:33:29 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-03-16 02:34:47 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
2019-10-17 19:33:29 +00:00
|
|
|
"go.uber.org/atomic"
|
2015-03-16 02:34:47 +00:00
|
|
|
)
|
|
|
|
|
2020-02-12 22:20:22 +00:00
|
|
|
// bufferedReader can be used to replace a request body with a buffered
|
|
|
|
// version. The Close method invokes the original Closer.
|
|
|
|
type bufferedReader struct {
|
|
|
|
*bufio.Reader
|
|
|
|
rOrig io.ReadCloser
|
|
|
|
}
|
|
|
|
|
|
|
|
func newBufferedReader(r io.ReadCloser) *bufferedReader {
|
|
|
|
return &bufferedReader{
|
|
|
|
Reader: bufio.NewReader(r),
|
|
|
|
rOrig: r,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *bufferedReader) Close() error {
|
|
|
|
return b.rOrig.Close()
|
|
|
|
}
|
|
|
|
|
2021-10-13 19:24:31 +00:00
|
|
|
const MergePatchContentTypeHeader = "application/merge-patch+json"
|
|
|
|
|
2019-10-15 04:55:31 +00:00
|
|
|
func buildLogicalRequestNoAuth(perfStandby bool, w http.ResponseWriter, r *http.Request) (*logical.Request, io.ReadCloser, int, error) {
|
2018-09-18 03:03:00 +00:00
|
|
|
ns, err := namespace.FromContext(r.Context())
|
|
|
|
if err != nil {
|
2019-04-05 18:36:34 +00:00
|
|
|
return nil, nil, http.StatusBadRequest, nil
|
2016-05-20 17:03:54 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
|
2015-03-16 02:34:47 +00:00
|
|
|
|
2018-08-14 02:00:26 +00:00
|
|
|
var data map[string]interface{}
|
2019-04-05 18:36:34 +00:00
|
|
|
var origBody io.ReadCloser
|
2019-09-06 19:40:15 +00:00
|
|
|
var passHTTPReq bool
|
2019-09-06 17:34:36 +00:00
|
|
|
var responseWriter http.ResponseWriter
|
2018-08-14 02:00:26 +00:00
|
|
|
|
2016-05-20 17:03:54 +00:00
|
|
|
// Determine the operation
|
|
|
|
var op logical.Operation
|
|
|
|
switch r.Method {
|
|
|
|
case "DELETE":
|
|
|
|
op = logical.DeleteOperation
|
2019-07-18 17:42:36 +00:00
|
|
|
data = parseQuery(r.URL.Query())
|
2016-05-20 17:03:54 +00:00
|
|
|
case "GET":
|
|
|
|
op = logical.ReadOperation
|
|
|
|
queryVals := r.URL.Query()
|
2018-08-14 02:00:26 +00:00
|
|
|
var list bool
|
|
|
|
var err error
|
2016-05-20 17:03:54 +00:00
|
|
|
listStr := queryVals.Get("list")
|
|
|
|
if listStr != "" {
|
2018-08-14 02:00:26 +00:00
|
|
|
list, err = strconv.ParseBool(listStr)
|
2015-04-07 21:36:17 +00:00
|
|
|
if err != nil {
|
2019-04-05 18:36:34 +00:00
|
|
|
return nil, nil, http.StatusBadRequest, nil
|
2016-05-20 17:03:54 +00:00
|
|
|
}
|
|
|
|
if list {
|
|
|
|
op = logical.ListOperation
|
2018-08-14 02:00:26 +00:00
|
|
|
if !strings.HasSuffix(path, "/") {
|
|
|
|
path += "/"
|
|
|
|
}
|
2015-03-16 02:34:47 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-14 02:00:26 +00:00
|
|
|
if !list {
|
2019-07-18 17:42:36 +00:00
|
|
|
data = parseQuery(queryVals)
|
2018-08-14 02:00:26 +00:00
|
|
|
}
|
2019-07-18 17:42:36 +00:00
|
|
|
|
2019-09-19 20:44:37 +00:00
|
|
|
switch {
|
|
|
|
case strings.HasPrefix(path, "sys/pprof/"):
|
|
|
|
passHTTPReq = true
|
|
|
|
responseWriter = w
|
|
|
|
case path == "sys/storage/raft/snapshot":
|
2019-06-20 19:14:58 +00:00
|
|
|
responseWriter = w
|
2022-05-25 00:00:46 +00:00
|
|
|
case path == "sys/internal/counters/activity/export":
|
|
|
|
responseWriter = w
|
2020-05-21 20:07:50 +00:00
|
|
|
case path == "sys/monitor":
|
|
|
|
passHTTPReq = true
|
|
|
|
responseWriter = w
|
2019-06-20 19:14:58 +00:00
|
|
|
}
|
2018-02-21 22:36:53 +00:00
|
|
|
|
2018-08-14 02:00:26 +00:00
|
|
|
case "POST", "PUT":
|
|
|
|
op = logical.UpdateOperation
|
2020-02-12 22:20:22 +00:00
|
|
|
|
|
|
|
// Buffer the request body in order to allow us to peek at the beginning
|
|
|
|
// without consuming it. This approach involves no copying.
|
|
|
|
bufferedBody := newBufferedReader(r.Body)
|
|
|
|
r.Body = bufferedBody
|
|
|
|
|
|
|
|
// If we are uploading a snapshot we don't want to parse it. Instead
|
|
|
|
// we will simply add the HTTP request to the logical request object
|
|
|
|
// for later consumption.
|
|
|
|
if path == "sys/storage/raft/snapshot" || path == "sys/storage/raft/snapshot-force" {
|
|
|
|
passHTTPReq = true
|
|
|
|
origBody = r.Body
|
|
|
|
} else {
|
|
|
|
// Sample the first bytes to determine whether this should be parsed as
|
|
|
|
// a form or as JSON. The amount to look ahead (512 bytes) is arbitrary
|
|
|
|
// but extremely tolerant (i.e. allowing 511 bytes of leading whitespace
|
|
|
|
// and an incorrect content-type).
|
|
|
|
head, err := bufferedBody.Peek(512)
|
|
|
|
if err != nil && err != bufio.ErrBufferFull && err != io.EOF {
|
2020-12-22 16:30:03 +00:00
|
|
|
status := http.StatusBadRequest
|
|
|
|
logical.AdjustErrorStatusCode(&status, err)
|
|
|
|
return nil, nil, status, fmt.Errorf("error reading data")
|
2020-02-12 22:20:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if isForm(head, r.Header.Get("Content-Type")) {
|
|
|
|
formData, err := parseFormRequest(r)
|
|
|
|
if err != nil {
|
2020-12-22 16:30:03 +00:00
|
|
|
status := http.StatusBadRequest
|
|
|
|
logical.AdjustErrorStatusCode(&status, err)
|
|
|
|
return nil, nil, status, fmt.Errorf("error parsing form data")
|
2020-02-12 22:20:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
data = formData
|
2019-06-20 19:14:58 +00:00
|
|
|
} else {
|
2020-02-12 22:20:22 +00:00
|
|
|
origBody, err = parseJSONRequest(perfStandby, r, w, &data)
|
2019-06-20 19:14:58 +00:00
|
|
|
if err == io.EOF {
|
|
|
|
data = nil
|
|
|
|
err = nil
|
|
|
|
}
|
|
|
|
if err != nil {
|
2020-12-22 16:30:03 +00:00
|
|
|
status := http.StatusBadRequest
|
|
|
|
logical.AdjustErrorStatusCode(&status, err)
|
|
|
|
return nil, nil, status, fmt.Errorf("error parsing JSON")
|
2019-06-20 19:14:58 +00:00
|
|
|
}
|
2018-02-21 22:36:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-13 19:24:31 +00:00
|
|
|
case "PATCH":
|
|
|
|
op = logical.PatchOperation
|
|
|
|
|
|
|
|
contentTypeHeader := r.Header.Get("Content-Type")
|
|
|
|
contentType, _, err := mime.ParseMediaType(contentTypeHeader)
|
|
|
|
if err != nil {
|
|
|
|
status := http.StatusBadRequest
|
|
|
|
logical.AdjustErrorStatusCode(&status, err)
|
|
|
|
return nil, nil, status, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if contentType != MergePatchContentTypeHeader {
|
|
|
|
return nil, nil, http.StatusUnsupportedMediaType, fmt.Errorf("PATCH requires Content-Type of %s, provided %s", MergePatchContentTypeHeader, contentType)
|
|
|
|
}
|
|
|
|
|
|
|
|
origBody, err = parseJSONRequest(perfStandby, r, w, &data)
|
|
|
|
|
|
|
|
if err == io.EOF {
|
|
|
|
data = nil
|
|
|
|
err = nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
status := http.StatusBadRequest
|
|
|
|
logical.AdjustErrorStatusCode(&status, err)
|
|
|
|
return nil, nil, status, fmt.Errorf("error parsing JSON")
|
|
|
|
}
|
|
|
|
|
2018-08-14 02:00:26 +00:00
|
|
|
case "LIST":
|
|
|
|
op = logical.ListOperation
|
|
|
|
if !strings.HasSuffix(path, "/") {
|
|
|
|
path += "/"
|
2018-02-21 22:36:53 +00:00
|
|
|
}
|
2018-08-14 02:00:26 +00:00
|
|
|
|
2022-07-28 16:47:53 +00:00
|
|
|
data = parseQuery(r.URL.Query())
|
|
|
|
|
2020-07-07 04:05:28 +00:00
|
|
|
case "OPTIONS", "HEAD":
|
2018-08-14 02:00:26 +00:00
|
|
|
default:
|
2019-04-05 18:36:34 +00:00
|
|
|
return nil, nil, http.StatusMethodNotAllowed, nil
|
2018-02-21 22:36:53 +00:00
|
|
|
}
|
|
|
|
|
2020-05-21 20:07:50 +00:00
|
|
|
requestId, err := uuid.GenerateUUID()
|
2016-07-26 19:50:37 +00:00
|
|
|
if err != nil {
|
2021-12-08 22:34:42 +00:00
|
|
|
return nil, nil, http.StatusInternalServerError, fmt.Errorf("failed to generate identifier for the request: %w", err)
|
2016-07-26 19:50:37 +00:00
|
|
|
}
|
|
|
|
|
2019-10-15 04:55:31 +00:00
|
|
|
req := &logical.Request{
|
2020-05-21 20:07:50 +00:00
|
|
|
ID: requestId,
|
2016-05-20 17:03:54 +00:00
|
|
|
Operation: op,
|
|
|
|
Path: path,
|
|
|
|
Data: data,
|
|
|
|
Connection: getConnection(r),
|
2017-02-02 19:49:20 +00:00
|
|
|
Headers: r.Header,
|
2019-10-15 04:55:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if passHTTPReq {
|
|
|
|
req.HTTPRequest = r
|
|
|
|
}
|
|
|
|
if responseWriter != nil {
|
|
|
|
req.ResponseWriter = logical.NewHTTPResponseWriter(responseWriter)
|
|
|
|
}
|
|
|
|
|
|
|
|
return req, origBody, 0, nil
|
|
|
|
}
|
|
|
|
|
2020-07-07 04:05:28 +00:00
|
|
|
func buildLogicalPath(r *http.Request) (string, int, error) {
|
|
|
|
ns, err := namespace.FromContext(r.Context())
|
|
|
|
if err != nil {
|
|
|
|
return "", http.StatusBadRequest, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
path := ns.TrimmedPath(strings.TrimPrefix(r.URL.Path, "/v1/"))
|
|
|
|
|
|
|
|
switch r.Method {
|
|
|
|
case "GET":
|
|
|
|
var (
|
|
|
|
list bool
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
queryVals := r.URL.Query()
|
|
|
|
|
|
|
|
listStr := queryVals.Get("list")
|
|
|
|
if listStr != "" {
|
|
|
|
list, err = strconv.ParseBool(listStr)
|
|
|
|
if err != nil {
|
|
|
|
return "", http.StatusBadRequest, nil
|
|
|
|
}
|
|
|
|
if list {
|
|
|
|
if !strings.HasSuffix(path, "/") {
|
|
|
|
path += "/"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
case "LIST":
|
|
|
|
if !strings.HasSuffix(path, "/") {
|
|
|
|
path += "/"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return path, 0, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) (*logical.Request, io.ReadCloser, int, error) {
|
|
|
|
req, origBody, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), w, r)
|
|
|
|
if err != nil || status != 0 {
|
|
|
|
return nil, nil, status, err
|
|
|
|
}
|
2021-02-24 11:58:10 +00:00
|
|
|
|
2021-06-11 17:18:16 +00:00
|
|
|
req.SetRequiredState(r.Header.Values(VaultIndexHeaderName))
|
|
|
|
requestAuth(r, req)
|
2016-10-29 21:01:49 +00:00
|
|
|
|
2017-01-04 21:44:03 +00:00
|
|
|
req, err = requestWrapInfo(r, req)
|
2016-05-20 17:03:54 +00:00
|
|
|
if err != nil {
|
2021-04-26 17:33:48 +00:00
|
|
|
return nil, nil, http.StatusBadRequest, fmt.Errorf("error parsing X-Vault-Wrap-TTL header: %w", err)
|
2016-05-20 17:03:54 +00:00
|
|
|
}
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
err = parseMFAHeader(req)
|
|
|
|
if err != nil {
|
2021-04-26 17:33:48 +00:00
|
|
|
return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse X-Vault-MFA header: %w", err)
|
2018-09-18 03:03:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = requestPolicyOverride(r, req)
|
|
|
|
if err != nil {
|
2021-04-26 17:33:48 +00:00
|
|
|
return nil, nil, http.StatusBadRequest, fmt.Errorf("failed to parse %s header: %w", PolicyOverrideHeaderName, err)
|
2018-09-18 03:03:00 +00:00
|
|
|
}
|
|
|
|
|
2020-07-07 04:05:28 +00:00
|
|
|
return req, origBody, 0, nil
|
2016-05-20 17:03:54 +00:00
|
|
|
}
|
|
|
|
|
2019-09-17 00:50:28 +00:00
|
|
|
// handleLogical returns a handler for processing logical requests. These requests
|
|
|
|
// may or may not end up getting forwarded under certain scenarios if the node
|
|
|
|
// is a performance standby. Some of these cases include:
|
|
|
|
// - Perf standby and token with limited use count.
|
|
|
|
// - Perf standby and token re-validation needed (e.g. due to invalid token).
|
|
|
|
// - Perf standby and control group error.
|
2018-09-18 03:03:00 +00:00
|
|
|
func handleLogical(core *vault.Core) http.Handler {
|
2019-09-17 00:50:28 +00:00
|
|
|
return handleLogicalInternal(core, false, false)
|
2018-09-05 15:45:17 +00:00
|
|
|
}
|
|
|
|
|
2019-09-17 00:50:28 +00:00
|
|
|
// handleLogicalWithInjector returns a handler for processing logical requests
|
|
|
|
// that also have their logical response data injected at the top-level payload.
|
|
|
|
// All forwarding behavior remains the same as `handleLogical`.
|
2018-09-18 03:03:00 +00:00
|
|
|
func handleLogicalWithInjector(core *vault.Core) http.Handler {
|
2019-09-17 00:50:28 +00:00
|
|
|
return handleLogicalInternal(core, true, false)
|
2018-09-05 15:45:17 +00:00
|
|
|
}
|
|
|
|
|
2019-09-17 00:50:28 +00:00
|
|
|
// handleLogicalNoForward returns a handler for processing logical local-only
|
|
|
|
// requests. These types of requests never forwarded, and return an
|
|
|
|
// `vault.ErrCannotForwardLocalOnly` error if attempted to do so.
|
|
|
|
func handleLogicalNoForward(core *vault.Core) http.Handler {
|
|
|
|
return handleLogicalInternal(core, false, true)
|
|
|
|
}
|
|
|
|
|
2019-10-15 04:55:31 +00:00
|
|
|
func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
req, _, statusCode, err := buildLogicalRequestNoAuth(false, w, r)
|
|
|
|
if err != nil || statusCode != 0 {
|
|
|
|
respondError(w, statusCode, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
reqToken := r.Header.Get(consts.AuthHeaderName)
|
|
|
|
if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
|
|
|
|
respondError(w, http.StatusForbidden, nil)
|
2020-04-21 22:30:36 +00:00
|
|
|
return
|
2019-10-15 04:55:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := raw.HandleRequest(r.Context(), req)
|
|
|
|
if respondErrorCommon(w, req, resp, err) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var httpResp *logical.HTTPResponse
|
|
|
|
if resp != nil {
|
|
|
|
httpResp = logical.LogicalResponseToHTTPResponse(resp)
|
|
|
|
httpResp.RequestID = req.ID
|
|
|
|
}
|
|
|
|
respondOk(w, httpResp)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-09-17 00:50:28 +00:00
|
|
|
// handleLogicalInternal is a common helper that returns a handler for
|
|
|
|
// processing logical requests. The behavior depends on the various boolean
|
|
|
|
// toggles. Refer to usage on functions for possible behaviors.
|
|
|
|
func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForward bool) http.Handler {
|
2016-05-20 17:03:54 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2020-07-07 04:05:28 +00:00
|
|
|
req, origBody, statusCode, err := buildLogicalRequest(core, w, r)
|
2016-05-20 17:03:54 +00:00
|
|
|
if err != nil || statusCode != 0 {
|
|
|
|
respondError(w, statusCode, err)
|
2016-05-02 02:39:45 +00:00
|
|
|
return
|
|
|
|
}
|
2016-03-18 02:29:53 +00:00
|
|
|
|
|
|
|
// Make the internal request. We attach the connection info
|
|
|
|
// as well in case this is an authentication request that requires
|
2017-02-16 20:15:02 +00:00
|
|
|
// it. Vault core handles stripping this if we need to. This also
|
|
|
|
// handles all error cases; if we hit respondLogical, the request is a
|
|
|
|
// success.
|
2019-01-25 19:08:42 +00:00
|
|
|
resp, ok, needsForward := request(core, w, r, req)
|
2019-09-17 00:50:28 +00:00
|
|
|
switch {
|
|
|
|
case needsForward && noForward:
|
|
|
|
respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
|
|
|
|
return
|
|
|
|
case needsForward && !noForward:
|
2020-07-07 04:05:28 +00:00
|
|
|
if origBody != nil {
|
|
|
|
r.Body = origBody
|
|
|
|
}
|
2019-01-25 19:08:42 +00:00
|
|
|
forwardRequest(core, w, r)
|
|
|
|
return
|
2019-09-17 00:50:28 +00:00
|
|
|
case !ok:
|
|
|
|
// If not ok, we simply return. The call on request should have
|
|
|
|
// taken care of setting the appropriate response code and payload
|
|
|
|
// in this case.
|
|
|
|
return
|
|
|
|
default:
|
|
|
|
// Build and return the proper response if everything is fine.
|
2021-02-24 11:58:10 +00:00
|
|
|
respondLogical(core, w, r, req, resp, injectDataIntoTopLevel)
|
2015-03-16 02:42:24 +00:00
|
|
|
return
|
|
|
|
}
|
2015-04-14 00:21:31 +00:00
|
|
|
})
|
|
|
|
}
|
2015-03-31 04:06:15 +00:00
|
|
|
|
2021-02-24 11:58:10 +00:00
|
|
|
func respondLogical(core *vault.Core, w http.ResponseWriter, r *http.Request, req *logical.Request, resp *logical.Response, injectDataIntoTopLevel bool) {
|
2016-08-08 15:55:24 +00:00
|
|
|
var httpResp *logical.HTTPResponse
|
|
|
|
var ret interface{}
|
|
|
|
|
2019-06-20 19:14:58 +00:00
|
|
|
// If vault's core has already written to the response writer do not add any
|
|
|
|
// additional output. Headers have already been sent.
|
|
|
|
if req != nil && req.ResponseWriter != nil && req.ResponseWriter.Written() {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-04-14 00:21:31 +00:00
|
|
|
if resp != nil {
|
|
|
|
if resp.Redirect != "" {
|
2015-08-20 20:20:35 +00:00
|
|
|
// If we have a redirect, redirect! We use a 307 code
|
2015-04-14 00:21:31 +00:00
|
|
|
// because we don't actually know if its permanent.
|
2015-08-20 20:20:35 +00:00
|
|
|
http.Redirect(w, r, resp.Redirect, 307)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-05-27 21:10:00 +00:00
|
|
|
// Check if this is a raw response
|
2016-09-29 04:01:28 +00:00
|
|
|
if _, ok := resp.Data[logical.HTTPStatusCode]; ok {
|
|
|
|
respondRaw(w, r, resp)
|
2015-05-27 21:10:00 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-05-07 23:17:51 +00:00
|
|
|
if resp.WrapInfo != nil && resp.WrapInfo.Token != "" {
|
2016-08-08 15:55:24 +00:00
|
|
|
httpResp = &logical.HTTPResponse{
|
2016-05-02 04:08:07 +00:00
|
|
|
WrapInfo: &logical.HTTPWrapInfo{
|
2016-06-13 23:58:17 +00:00
|
|
|
Token: resp.WrapInfo.Token,
|
2017-11-13 20:31:32 +00:00
|
|
|
Accessor: resp.WrapInfo.Accessor,
|
2016-06-13 23:58:17 +00:00
|
|
|
TTL: int(resp.WrapInfo.TTL.Seconds()),
|
2016-09-23 16:32:07 +00:00
|
|
|
CreationTime: resp.WrapInfo.CreationTime.Format(time.RFC3339Nano),
|
2017-08-02 22:28:58 +00:00
|
|
|
CreationPath: resp.WrapInfo.CreationPath,
|
2016-06-13 23:58:17 +00:00
|
|
|
WrappedAccessor: resp.WrapInfo.WrappedAccessor,
|
2016-05-02 04:08:07 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
} else {
|
2016-09-29 19:03:47 +00:00
|
|
|
httpResp = logical.LogicalResponseToHTTPResponse(resp)
|
2016-08-08 15:55:24 +00:00
|
|
|
httpResp.RequestID = req.ID
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = httpResp
|
2018-09-05 15:45:17 +00:00
|
|
|
|
|
|
|
if injectDataIntoTopLevel {
|
|
|
|
injector := logical.HTTPSysInjector{
|
|
|
|
Response: httpResp,
|
|
|
|
}
|
|
|
|
ret = injector
|
|
|
|
}
|
2015-04-14 00:21:31 +00:00
|
|
|
}
|
|
|
|
|
2021-02-24 11:58:10 +00:00
|
|
|
adjustResponse(core, w, req)
|
|
|
|
|
2015-04-14 00:21:31 +00:00
|
|
|
// Respond
|
2016-08-08 15:55:24 +00:00
|
|
|
respondOk(w, ret)
|
2016-05-20 15:49:48 +00:00
|
|
|
return
|
2015-03-16 02:34:47 +00:00
|
|
|
}
|
|
|
|
|
2015-05-27 21:10:00 +00:00
|
|
|
// respondRaw is used when the response is using HTTPContentType and HTTPRawBody
|
|
|
|
// to change the default response handling. This is only used for specific things like
|
|
|
|
// returning the CRL information on the PKI backends.
|
2016-09-29 04:01:28 +00:00
|
|
|
func respondRaw(w http.ResponseWriter, r *http.Request, resp *logical.Response) {
|
|
|
|
retErr := func(w http.ResponseWriter, err string) {
|
|
|
|
w.Header().Set("X-Vault-Raw-Error", err)
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
w.Write(nil)
|
|
|
|
}
|
|
|
|
|
2015-05-27 21:10:00 +00:00
|
|
|
// Ensure this is never a secret or auth response
|
|
|
|
if resp.Secret != nil || resp.Auth != nil {
|
2016-09-29 04:01:28 +00:00
|
|
|
retErr(w, "raw responses cannot contain secrets or auth")
|
2015-05-27 21:10:00 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the status code
|
|
|
|
statusRaw, ok := resp.Data[logical.HTTPStatusCode]
|
|
|
|
if !ok {
|
2016-09-29 04:01:28 +00:00
|
|
|
retErr(w, "no status code given")
|
2015-05-27 21:10:00 +00:00
|
|
|
return
|
|
|
|
}
|
2018-02-01 22:30:17 +00:00
|
|
|
|
|
|
|
var status int
|
|
|
|
switch statusRaw.(type) {
|
|
|
|
case int:
|
|
|
|
status = statusRaw.(int)
|
|
|
|
case float64:
|
|
|
|
status = int(statusRaw.(float64))
|
|
|
|
case json.Number:
|
|
|
|
s64, err := statusRaw.(json.Number).Float64()
|
|
|
|
if err != nil {
|
|
|
|
retErr(w, "cannot decode status code")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
status = int(s64)
|
|
|
|
default:
|
2016-09-29 04:01:28 +00:00
|
|
|
retErr(w, "cannot decode status code")
|
2015-05-27 21:10:00 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-09-29 04:01:28 +00:00
|
|
|
nonEmpty := status != http.StatusNoContent
|
|
|
|
|
|
|
|
var contentType string
|
|
|
|
var body []byte
|
|
|
|
|
|
|
|
// Get the content type header; don't require it if the body is empty
|
2015-05-27 21:10:00 +00:00
|
|
|
contentTypeRaw, ok := resp.Data[logical.HTTPContentType]
|
2017-10-26 07:08:10 +00:00
|
|
|
if !ok && nonEmpty {
|
2016-09-29 04:01:28 +00:00
|
|
|
retErr(w, "no content type given")
|
2015-05-27 21:10:00 +00:00
|
|
|
return
|
|
|
|
}
|
2016-09-29 04:01:28 +00:00
|
|
|
if ok {
|
|
|
|
contentType, ok = contentTypeRaw.(string)
|
|
|
|
if !ok {
|
|
|
|
retErr(w, "cannot decode content type")
|
|
|
|
return
|
|
|
|
}
|
2015-05-27 21:10:00 +00:00
|
|
|
}
|
|
|
|
|
2016-09-29 04:01:28 +00:00
|
|
|
if nonEmpty {
|
|
|
|
// Get the body
|
|
|
|
bodyRaw, ok := resp.Data[logical.HTTPRawBody]
|
|
|
|
if !ok {
|
2018-07-11 19:45:09 +00:00
|
|
|
goto WRITE_RESPONSE
|
2016-09-29 04:01:28 +00:00
|
|
|
}
|
2018-02-01 22:30:17 +00:00
|
|
|
|
|
|
|
switch bodyRaw.(type) {
|
|
|
|
case string:
|
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):
* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.
* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.
* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.
* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.
* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.
* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).
* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.
* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.
* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 19:40:03 +00:00
|
|
|
// This is best effort. The value may already be base64-decoded so
|
|
|
|
// if it doesn't work we just use as-is
|
|
|
|
bodyDec, err := base64.StdEncoding.DecodeString(bodyRaw.(string))
|
|
|
|
if err == nil {
|
|
|
|
body = bodyDec
|
|
|
|
} else {
|
|
|
|
body = []byte(bodyRaw.(string))
|
2018-02-01 22:30:17 +00:00
|
|
|
}
|
|
|
|
case []byte:
|
|
|
|
body = bodyRaw.([]byte)
|
|
|
|
default:
|
2016-09-29 04:01:28 +00:00
|
|
|
retErr(w, "cannot decode body")
|
|
|
|
return
|
|
|
|
}
|
2015-05-27 21:10:00 +00:00
|
|
|
}
|
|
|
|
|
2018-07-11 19:45:09 +00:00
|
|
|
WRITE_RESPONSE:
|
2015-05-27 21:10:00 +00:00
|
|
|
// Write the response
|
2016-09-29 04:01:28 +00:00
|
|
|
if contentType != "" {
|
|
|
|
w.Header().Set("Content-Type", contentType)
|
|
|
|
}
|
2016-12-15 22:53:07 +00:00
|
|
|
|
2021-10-14 01:59:36 +00:00
|
|
|
if cacheControl, ok := resp.Data[logical.HTTPCacheControlHeader].(string); ok {
|
2019-07-15 18:04:45 +00:00
|
|
|
w.Header().Set("Cache-Control", cacheControl)
|
|
|
|
}
|
|
|
|
|
2021-10-14 01:59:36 +00:00
|
|
|
if pragma, ok := resp.Data[logical.HTTPPragmaHeader].(string); ok {
|
|
|
|
w.Header().Set("Pragma", pragma)
|
|
|
|
}
|
|
|
|
|
|
|
|
if wwwAuthn, ok := resp.Data[logical.HTTPWWWAuthenticateHeader].(string); ok {
|
|
|
|
w.Header().Set("WWW-Authenticate", wwwAuthn)
|
|
|
|
}
|
|
|
|
|
2015-05-27 21:10:00 +00:00
|
|
|
w.WriteHeader(status)
|
|
|
|
w.Write(body)
|
|
|
|
}
|
|
|
|
|
2015-06-29 22:27:28 +00:00
|
|
|
// getConnection is used to format the connection information for
|
|
|
|
// attaching to a logical request
|
2015-06-19 00:17:18 +00:00
|
|
|
func getConnection(r *http.Request) (connection *logical.Connection) {
|
|
|
|
var remoteAddr string
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
var remotePort int
|
2015-06-19 00:17:18 +00:00
|
|
|
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
remoteAddr, port, err := net.SplitHostPort(r.RemoteAddr)
|
2015-06-19 00:17:18 +00:00
|
|
|
if err != nil {
|
|
|
|
remoteAddr = ""
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
} else {
|
|
|
|
remotePort, err = strconv.Atoi(port)
|
|
|
|
if err != nil {
|
|
|
|
remotePort = 0
|
|
|
|
}
|
2015-06-19 00:17:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
connection = &logical.Connection{
|
|
|
|
RemoteAddr: remoteAddr,
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
RemotePort: remotePort,
|
2015-06-19 00:17:18 +00:00
|
|
|
ConnState: r.TLS,
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|