open-vault/command/server/listener.go

package server

import (
	"github.com/hashicorp/errwrap"
	// We must import sha512 so that it registers with the runtime so that
	// certificates that use it can be parsed.
	_ "crypto/sha512"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io"
	"io/ioutil"
	"net"

	"github.com/hashicorp/vault/helper/parseutil"
	"github.com/hashicorp/vault/helper/proxyutil"
	"github.com/hashicorp/vault/helper/reload"
	"github.com/hashicorp/vault/helper/tlsutil"
	"github.com/mitchellh/cli"
)

// ListenerFactory is the factory function to create a listener.
type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error)

// BuiltinListeners is the list of built-in listener types.
var BuiltinListeners = map[string]ListenerFactory{
	"tcp": tcpListenerFactory,
}

// NewListener creates a new listener of the given type with the given
// configuration. The type is looked up in the BuiltinListeners map.
func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
	f, ok := BuiltinListeners[t]
	if !ok {
		return nil, nil, nil, fmt.Errorf("unknown listener type: %s", t)
	}

	return f(config, logger, ui)
}

func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.Listener, error) {
	behaviorRaw, ok := config["proxy_protocol_behavior"]
	if !ok {
		return ln, nil
	}

	behavior, ok := behaviorRaw.(string)
	if !ok {
		return nil, fmt.Errorf("failed parsing proxy_protocol_behavior value: not a string")
	}

	authorizedAddrsRaw, ok := config["proxy_protocol_authorized_addrs"]
	if !ok {
		return nil, fmt.Errorf("proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value")
	}

	proxyProtoConfig := &proxyutil.ProxyProtoConfig{
		Behavior: behavior,
	}
	if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
		return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err)
	}

	newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
	if err != nil {
		return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err)
	}

	return newLn, nil
}

func listenerWrapTLS(
	ln net.Listener,
	props map[string]string,
	config map[string]interface{},
	ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
	props["tls"] = "disabled"

	if v, ok := config["tls_disable"]; ok {
		disabled, err := parseutil.ParseBool(v)
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)
		}
		if disabled {
			return ln, props, nil, nil
		}
	}

	certFileRaw, ok := config["tls_cert_file"]
	if !ok {
		return nil, nil, nil, fmt.Errorf("'tls_cert_file' must be set")
	}
	certFile := certFileRaw.(string)
	keyFileRaw, ok := config["tls_key_file"]
	if !ok {
		return nil, nil, nil, fmt.Errorf("'tls_key_file' must be set")
	}
	keyFile := keyFileRaw.(string)

	cg := reload.NewCertificateGetter(certFile, keyFile, "")
	if err := cg.Reload(config); err != nil {
		// We try the key without a passphrase first and if we get an incorrect
		// passphrase response, try again after prompting for a passphrase
		if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) {
			var passphrase string
			passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile))
			if err == nil {
				cg = reload.NewCertificateGetter(certFile, keyFile, passphrase)
				if err = cg.Reload(config); err == nil {
					goto PASSPHRASECORRECT
				}
			}
		}
		return nil, nil, nil, errwrap.Wrapf("error loading TLS cert: {{err}}", err)
	}

PASSPHRASECORRECT:
	var tlsvers string
	tlsversRaw, ok := config["tls_min_version"]
	if !ok {
		tlsvers = "tls12"
	} else {
		tlsvers = tlsversRaw.(string)
	}

	tlsConf := &tls.Config{}
	tlsConf.GetCertificate = cg.GetCertificate
	tlsConf.NextProtos = []string{"h2", "http/1.1"}
	tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
	if !ok {
		return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
	}
	tlsConf.ClientAuth = tls.RequestClientCert

	if v, ok := config["tls_cipher_suites"]; ok {
		ciphers, err := tlsutil.ParseCiphers(v.(string))
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %v", err)
		}
		tlsConf.CipherSuites = ciphers
	}
	if v, ok := config["tls_prefer_server_cipher_suites"]; ok {
		preferServer, err := parseutil.ParseBool(v)
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_prefer_server_cipher_suites': %v", err)
		}
		tlsConf.PreferServerCipherSuites = preferServer
	}
	var requireVerifyCerts bool
	var err error
	if v, ok := config["tls_require_and_verify_client_cert"]; ok {
		requireVerifyCerts, err = parseutil.ParseBool(v)
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err)
		}
		if requireVerifyCerts {
			tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
		}
		if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok {
			caPool := x509.NewCertPool()
			data, err := ioutil.ReadFile(tlsClientCaFile.(string))
			if err != nil {
				return nil, nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %v", err)
			}

			if !caPool.AppendCertsFromPEM(data) {
				return nil, nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")
			}
			tlsConf.ClientCAs = caPool
		}
	}
	if v, ok := config["tls_disable_client_certs"]; ok {
		disableClientCerts, err := parseutil.ParseBool(v)
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable_client_certs': %v", err)
		}
		if disableClientCerts && requireVerifyCerts {
			return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")
		}
		if disableClientCerts {
			tlsConf.ClientAuth = tls.NoClientCert
		}
	}

	ln = tls.NewListener(ln, tlsConf)
	props["tls"] = "enabled"
	return ln, props, cg.Reload, nil
}
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`package server`

			`import (`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`"github.com/hashicorp/errwrap"`
server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00			`// We must import sha512 so that it registers with the runtime so that`
			`// certificates that use it can be parsed.`
			`_ "crypto/sha512"`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`"crypto/tls"`
tls_client_ca_file option for verifying client (#3034) 2017-08-03 11:33:06 +00:00			`"crypto/x509"`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`"fmt"`
Initial Atlas listener implementation 2016-06-02 16:40:25 +00:00			`"io"`
tls_client_ca_file option for verifying client (#3034) 2017-08-03 11:33:06 +00:00			`"io/ioutil"`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`"net"`
Make 'tls_min_version' configurable 2016-07-12 23:32:47 +00:00
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`"github.com/hashicorp/vault/helper/parseutil"`
Moved PROXY protocol wrap to execute before the TLS wrap (#3195) 2017-08-23 16:00:09 +00:00			`"github.com/hashicorp/vault/helper/proxyutil"`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`"github.com/hashicorp/vault/helper/reload"`
Make 'tls_min_version' configurable 2016-07-12 23:32:47 +00:00			`"github.com/hashicorp/vault/helper/tlsutil"`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`"github.com/mitchellh/cli"`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`)`

			`// ListenerFactory is the factory function to create a listener.`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error)`
command/server: tcp listener 2015-03-13 16:37:32 +00:00
			`// BuiltinListeners is the list of built-in listener types.`
			`var BuiltinListeners = map[string]ListenerFactory{`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`"tcp": tcpListenerFactory,`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`}`

			`// NewListener creates a new listener of the given type with the given`
			`// configuration. The type is looked up in the BuiltinListeners map.`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`f, ok := BuiltinListeners[t]`
			`if !ok {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return nil, nil, nil, fmt.Errorf("unknown listener type: %s", t)`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`}`

Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`return f(config, logger, ui)`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`}`
command/server: support TLS 2015-03-13 16:56:08 +00:00
Moved PROXY protocol wrap to execute before the TLS wrap (#3195) 2017-08-23 16:00:09 +00:00			`func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.Listener, error) {`
			`behaviorRaw, ok := config["proxy_protocol_behavior"]`
			`if !ok {`
			`return ln, nil`
			`}`

			`behavior, ok := behaviorRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("failed parsing proxy_protocol_behavior value: not a string")`
			`}`

			`authorizedAddrsRaw, ok := config["proxy_protocol_authorized_addrs"]`
			`if !ok {`
			`return nil, fmt.Errorf("proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value")`
			`}`

			`proxyProtoConfig := &proxyutil.ProxyProtoConfig{`
			`Behavior: behavior,`
			`}`
			`if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {`
			`return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err)`
			`}`

			`newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err)`
			`}`

			`return newLn, nil`
			`}`

command/server: support TLS 2015-03-13 16:56:08 +00:00			`func listenerWrapTLS(`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`ln net.Listener,`
			`props map[string]string,`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`config map[string]interface{},`
			`ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`props["tls"] = "disabled"`

server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`if v, ok := config["tls_disable"]; ok {`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`disabled, err := parseutil.ParseBool(v)`
server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`if err != nil {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)`
server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`}`
			`if disabled {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return ln, props, nil, nil`
server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`}`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`certFileRaw, ok := config["tls_cert_file"]`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`if !ok {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return nil, nil, nil, fmt.Errorf("'tls_cert_file' must be set")`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`certFile := certFileRaw.(string)`
			`keyFileRaw, ok := config["tls_key_file"]`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`if !ok {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return nil, nil, nil, fmt.Errorf("'tls_key_file' must be set")`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`keyFile := keyFileRaw.(string)`
command/server: support TLS 2015-03-13 16:56:08 +00:00
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`cg := reload.NewCertificateGetter(certFile, keyFile, "")`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`if err := cg.Reload(config); err != nil {`
Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`// We try the key without a passphrase first and if we get an incorrect`
			`// passphrase response, try again after prompting for a passphrase`
			`if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) {`
			`var passphrase string`
			`passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile))`
			`if err == nil {`
			`cg = reload.NewCertificateGetter(certFile, keyFile, passphrase)`
			`if err = cg.Reload(config); err == nil {`
			`goto PASSPHRASECORRECT`
			`}`
			`}`
			`}`
			`return nil, nil, nil, errwrap.Wrapf("error loading TLS cert: {{err}}", err)`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

Add support for encrypted TLS key files (#3685) 2017-12-15 22:33:55 +00:00			`PASSPHRASECORRECT:`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`var tlsvers string`
			`tlsversRaw, ok := config["tls_min_version"]`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`if !ok {`
			`tlsvers = "tls12"`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`} else {`
			`tlsvers = tlsversRaw.(string)`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`}`
server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00
command/server: support TLS 2015-03-13 16:56:08 +00:00			`tlsConf := &tls.Config{}`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`tlsConf.GetCertificate = cg.GetCertificate`
Trim leading/trailing space around PEM bundles. Fixes #1634 2016-07-20 17:57:49 +00:00			`tlsConf.NextProtos = []string{"h2", "http/1.1"}`
Make 'tls_min_version' configurable 2016-07-12 23:32:47 +00:00			`tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`if !ok {`
Add reload capability for Vault listener certs. No tests (other than manual) yet, and no documentation yet. 2016-03-10 02:40:46 +00:00			`return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`}`
command/listener: Request TLS client cert. Fixes #214 2015-05-20 23:01:40 +00:00			`tlsConf.ClientAuth = tls.RequestClientCert`
command/server: support TLS 2015-03-13 16:56:08 +00:00
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 18:48:35 +00:00			`if v, ok := config["tls_cipher_suites"]; ok {`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`ciphers, err := tlsutil.ParseCiphers(v.(string))`
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 18:48:35 +00:00			`if err != nil {`
			`return nil, nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %v", err)`
			`}`
			`tlsConf.CipherSuites = ciphers`
			`}`
			`if v, ok := config["tls_prefer_server_cipher_suites"]; ok {`
Convert listener arguments to map[string]interface{} (#2905) This allows people to use more natural constructs, e.g. for tls_disable it can be a bool, int, or string. 2017-06-22 19:29:53 +00:00			`preferServer, err := parseutil.ParseBool(v)`
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 18:48:35 +00:00			`if err != nil {`
			`return nil, nil, nil, fmt.Errorf("invalid value for 'tls_prefer_server_cipher_suites': %v", err)`
			`}`
			`tlsConf.PreferServerCipherSuites = preferServer`
			`}`
Add option to disable client certificate requesting. (#3373) Fixes #3372 2017-09-25 18:41:46 +00:00			`var requireVerifyCerts bool`
			`var err error`
Add option to require valid client certificates (#2457) 2017-03-08 15:21:31 +00:00			`if v, ok := config["tls_require_and_verify_client_cert"]; ok {`
Add option to disable client certificate requesting. (#3373) Fixes #3372 2017-09-25 18:41:46 +00:00			`requireVerifyCerts, err = parseutil.ParseBool(v)`
Add option to require valid client certificates (#2457) 2017-03-08 15:21:31 +00:00			`if err != nil {`
			`return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err)`
			`}`
Add option to disable client certificate requesting. (#3373) Fixes #3372 2017-09-25 18:41:46 +00:00			`if requireVerifyCerts {`
Add option to require valid client certificates (#2457) 2017-03-08 15:21:31 +00:00			`tlsConf.ClientAuth = tls.RequireAndVerifyClientCert`
			`}`
tls_client_ca_file option for verifying client (#3034) 2017-08-03 11:33:06 +00:00			`if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok {`
			`caPool := x509.NewCertPool()`
			`data, err := ioutil.ReadFile(tlsClientCaFile.(string))`
			`if err != nil {`
			`return nil, nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %v", err)`
			`}`

			`if !caPool.AppendCertsFromPEM(data) {`
			`return nil, nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")`
			`}`
			`tlsConf.ClientCAs = caPool`
			`}`
Add option to require valid client certificates (#2457) 2017-03-08 15:21:31 +00:00			`}`
Add option to disable client certificate requesting. (#3373) Fixes #3372 2017-09-25 18:41:46 +00:00			`if v, ok := config["tls_disable_client_certs"]; ok {`
			`disableClientCerts, err := parseutil.ParseBool(v)`
			`if err != nil {`
			`return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable_client_certs': %v", err)`
			`}`
			`if disableClientCerts && requireVerifyCerts {`
			`return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")`
			`}`
Config parameter "tls_disable_client_certs" is wrongly evaluated. (#4049) 2018-02-28 15:07:23 +00:00			`if disableClientCerts {`
			`tlsConf.ClientAuth = tls.NoClientCert`
			`}`
Add option to disable client certificate requesting. (#3373) Fixes #3372 2017-09-25 18:41:46 +00:00			`}`
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 18:48:35 +00:00
command/server: support TLS 2015-03-13 16:56:08 +00:00			`ln = tls.NewListener(ln, tlsConf)`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`props["tls"] = "enabled"`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`return ln, props, cg.Reload, nil`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`