vault: Provide salted client token to logical backends

2015-04-03 14:42:39 -07:00 · 2015-04-03 14:42:39 -07:00 · 002b2ad589
parent e4854ca59b
commit 002b2ad589
6 changed files with 36 additions and 61 deletions
--- a/vault/auth.go
+++ b/vault/auth.go
@ -80,7 +80,7 @@ func (c *Core) enableCredential(entry *MountEntry) error {

 	// Mount the backend
 	path := credentialRoutePrefix + entry.Path
-	if err := c.router.Mount(backend, path, view); err != nil {
+	if err := c.router.Mount(backend, path, entry.UUID, view); err != nil {
 		return err
 	}
 	c.logger.Printf("[INFO] core: enabled credential backend '%s' type: %s",
@ -209,7 +209,7 @@ func (c *Core) setupCredentials() error {

 		// Mount the backend
 		path := credentialRoutePrefix + entry.Path
-		err = c.router.Mount(backend, path, view)
+		err = c.router.Mount(backend, path, entry.UUID, view)
 		if err != nil {
 			c.logger.Printf("[ERR] core: failed to mount auth entry %#v: %v", entry, err)
 			return loadAuthFailed
--- a/vault/expiration_test.go
+++ b/vault/expiration_test.go
@ -43,7 +43,7 @@ func TestExpiration_Restore(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	paths := []string{
 		"prod/aws/foo",
@ -151,7 +151,7 @@ func TestExpiration_Revoke(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	req := &logical.Request{
 		Operation: logical.ReadOperation,
@ -187,7 +187,7 @@ func TestExpiration_RevokeOnExpire(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	req := &logical.Request{
 		Operation: logical.ReadOperation,
@ -227,7 +227,7 @@ func TestExpiration_RevokePrefix(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	paths := []string{
 		"prod/aws/foo",
@ -309,7 +309,7 @@ func TestExpiration_Renew(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	req := &logical.Request{
 		Operation: logical.ReadOperation,
@ -363,7 +363,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "prod/aws/", view)
+	exp.router.Mount(noop, "prod/aws/", generateUUID(), view)

 	req := &logical.Request{
 		Operation: logical.ReadOperation,
@ -419,7 +419,7 @@ func TestExpiration_revokeEntry(t *testing.T) {
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "", view)
+	exp.router.Mount(noop, "", generateUUID(), view)

 	le := &leaseEntry{
 		VaultID: "foo/bar/1234",
@ -499,7 +499,7 @@ func TestExpiration_renewEntry(t *testing.T) {
 	}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
-	exp.router.Mount(noop, "", view)
+	exp.router.Mount(noop, "", generateUUID(), view)

 	le := &leaseEntry{
 		VaultID: "foo/bar/1234",
--- a/vault/mount.go
+++ b/vault/mount.go
@ -122,7 +122,7 @@ func (c *Core) mount(me *MountEntry) error {
 	c.mounts = newTable

 	// Mount the backend
-	if err := c.router.Mount(backend, me.Path, view); err != nil {
+	if err := c.router.Mount(backend, me.Path, me.UUID, view); err != nil {
 		return err
 	}
 	c.logger.Printf("[INFO] core: mounted '%s' type: %s", me.Path, me.Type)
@ -396,7 +396,7 @@ func (c *Core) setupMounts() error {
 		}

 		// Mount the backend
-		err = c.router.Mount(backend, entry.Path, view)
+		err = c.router.Mount(backend, entry.Path, entry.UUID, view)
 		if err != nil {
 			c.logger.Printf("[ERR] core: failed to mount entry %#v: %v", entry, err)
 			return loadMountsFailed
--- a/vault/rollback_test.go
+++ b/vault/rollback_test.go
@ -19,7 +19,7 @@ func mockRollback(t *testing.T) (*RollbackManager, *NoopBackend) {
 			Path: "foo",
 		},
 	}
-	if err := router.Mount(backend, "foo", nil); err != nil {
+	if err := router.Mount(backend, "foo", generateUUID(), nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}

--- a/vault/router.go
+++ b/vault/router.go
@ -1,6 +1,8 @@
 package vault

 import (
+	"crypto/sha1"
+	"encoding/hex"
 	"fmt"
 	"strings"
 	"sync"
@ -26,14 +28,23 @@ func NewRouter() *Router {
 // mountEntry is used to represent a mount point
 type mountEntry struct {
 	tainted    bool
+	salt       string
 	backend    logical.Backend
 	view       *BarrierView
 	rootPaths  *radix.Tree
 	loginPaths *radix.Tree
 }

-// Mount is used to expose a logical backend at a given prefix
-func (r *Router) Mount(backend logical.Backend, prefix string, view *BarrierView) error {
+// SaltID is used to apply a salt and hash to an ID to make sure its not reversable
+func (me *mountEntry) SaltID(id string) string {
+	comb := me.salt + id
+	hash := sha1.Sum([]byte(comb))
+	return hex.EncodeToString(hash[:])
+}
+
+// Mount is used to expose a logical backend at a given prefix, using a unique salt,
+// and the barrier view for that path.
+func (r *Router) Mount(backend logical.Backend, prefix, salt string, view *BarrierView) error {
 	r.l.Lock()
 	defer r.l.Unlock()

@ -161,10 +172,10 @@ func (r *Router) Route(req *logical.Request) (*logical.Response, error) {
 	// Attach the storage view for the request
 	req.Storage = me.view

-	// Clear the request token unless this is the token backend
+	// Hash the request token unless this is the token backend
 	clientToken := req.ClientToken
 	if !strings.HasPrefix(original, "auth/token/") {
-		req.ClientToken = ""
+		req.ClientToken = me.SaltID(req.ClientToken)
 	}

 	// If the request is not a login path, then clear the connection
--- a/vault/router_test.go
+++ b/vault/router_test.go
@ -40,12 +40,12 @@ func TestRouter_Mount(t *testing.T) {
 	view := NewBarrierView(barrier, "logical/")

 	n := &NoopBackend{}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}

-	err = r.Mount(n, "prod/aws/", view)
+	err = r.Mount(n, "prod/aws/", generateUUID(), view)
 	if !strings.Contains(err.Error(), "cannot mount under existing mount") {
 		t.Fatalf("err: %v", err)
 	}
@ -89,7 +89,7 @@ func TestRouter_Unmount(t *testing.T) {
 	view := NewBarrierView(barrier, "logical/")

 	n := &NoopBackend{}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -114,7 +114,7 @@ func TestRouter_Remount(t *testing.T) {
 	view := NewBarrierView(barrier, "logical/")

 	n := &NoopBackend{}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -162,7 +162,7 @@ func TestRouter_RootPath(t *testing.T) {
 			"policy/*",
 		},
 	}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -189,42 +189,6 @@ func TestRouter_RootPath(t *testing.T) {
 	}
 }

-/*
-func TestRouter_RouteLogin(t *testing.T) {
-	r := NewRouter()
-	_, barrier, _ := mockBarrier(t)
-	view := NewBarrierView(barrier, "auth/")
-
-	n := &NoopBackend{
-		Login: []string{"bar"},
-	}
-	err := r.Mount(n, "auth/foo/", view)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if path := r.MatchingMount("auth/foo/bar"); path != "auth/foo/" {
-		t.Fatalf("bad: %s", path)
-	}
-
-	req := &logical.Request{
-		Path: "auth/foo/bar",
-	}
-	resp, err := r.RouteLogin(req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %v", resp)
-	}
-
-	// Verify the path
-	if len(n.LPaths) != 1 || n.LPaths[0] != "bar" {
-		t.Fatalf("bad: %v", n.Paths)
-	}
-}
-*/
-
 func TestRouter_LoginPath(t *testing.T) {
 	r := NewRouter()
 	_, barrier, _ := mockBarrier(t)
@ -236,7 +200,7 @@ func TestRouter_LoginPath(t *testing.T) {
 			"oauth/*",
 		},
 	}
-	err := r.Mount(n, "auth/foo/", view)
+	err := r.Mount(n, "auth/foo/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -267,7 +231,7 @@ func TestRouter_Taint(t *testing.T) {
 	view := NewBarrierView(barrier, "logical/")

 	n := &NoopBackend{}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -306,7 +270,7 @@ func TestRouter_Untaint(t *testing.T) {
 	view := NewBarrierView(barrier, "logical/")

 	n := &NoopBackend{}
-	err := r.Mount(n, "prod/aws/", view)
+	err := r.Mount(n, "prod/aws/", generateUUID(), view)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}