luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Remove token store paths with token/accessors in URLs (#5773)

This commit is contained in:
Jeff Mitchell 2018-11-19 16:58:19 -05:00 committed by GitHub
parent e9002a0ce5
commit 127413461b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -28,6 +28,11 @@ CHANGES:
difference but it should provide significant performance benefits for those
writing custom clients using the Go API library. As before, this can be
changed to any custom HTTP client by the caller.
* Paths within `auth/token` that allow specifying a token or accessor in the
URL have been removed. These have been deprecated since March 2016 and
undocumented, but were retained for backwards compatibility. They shouldn't
be used due to the possibility of those paths being logged, so at this point
they are simply being removed.
CHANGES FROM BETA 1:
(Note: these items will be removed from the final 1.0 changelog as they are

4
vault/external_tests/identity/groups_test.go
View File

@ -241,7 +241,9 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
//
// Extract the entity ID of the token
secret, err = client.Logical().Read("auth/token/lookup/" + ldapClientToken)
secret, err = client.Logical().Write("auth/token/lookup", map[string]interface{}{
"token": ldapClientToken,
})
if err != nil {
t.Fatal(err)
}

16
vault/external_tests/token/token_test.go
View File

@ -152,7 +152,9 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
}
// At this point there shouldn't be any identity policy on the token
secret, err = client.Logical().Read("auth/token/lookup/" + ldapClientToken)
secret, err = client.Logical().Write("auth/token/lookup", map[string]interface{}{
"token": ldapClientToken,
})
if err != nil {
t.Fatal(err)
}
@ -174,7 +176,9 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
}
// Lookup the token and expect entity policies on the token
secret, err = client.Logical().Read("auth/token/lookup/" + ldapClientToken)
secret, err = client.Logical().Write("auth/token/lookup", map[string]interface{}{
"token": ldapClientToken,
})
if err != nil {
t.Fatal(err)
}
@ -209,7 +213,9 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
}
// Lookup token and expect both entity and group policies on the token
secret, err = client.Logical().Read("auth/token/lookup/" + ldapClientToken)
secret, err = client.Logical().Write("auth/token/lookup", map[string]interface{}{
"token": ldapClientToken,
})
if err != nil {
t.Fatal(err)
}
@ -270,7 +276,9 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
// Lookup token and expect entity, group and external group policies on the
// token
secret, err = client.Logical().Read("auth/token/lookup/" + ldapClientToken)
secret, err = client.Logical().Write("auth/token/lookup", map[string]interface{}{
"token": ldapClientToken,
})
if err != nil {
t.Fatal(err)
}

108
vault/token_store.go
View File

@ -245,13 +245,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "lookup" + framework.OptionalParamRegex("urltoken"),
Pattern: "lookup",
Fields: map[string]*framework.FieldSchema{
"urltoken": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Token to lookup (URL parameter). Do not use this; use the POST version instead with the token in the body.",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to lookup (POST request body)",
@ -268,13 +264,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "lookup-accessor" + framework.OptionalParamRegex("urlaccessor"),
Pattern: "lookup-accessor",
Fields: map[string]*framework.FieldSchema{
"urlaccessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Accessor of the token to lookup (URL parameter). Do not use this; use the POST version instead with the accessor in the body.",
},
"accessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Accessor of the token to look up (request body)",
@ -309,13 +301,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "revoke-accessor" + framework.OptionalParamRegex("urlaccessor"),
Pattern: "revoke-accessor",
Fields: map[string]*framework.FieldSchema{
"urlaccessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Accessor of the token to revoke (URL parameter). Do not use this; use the POST version instead with the accessor in the body.",
},
"accessor": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Accessor of the token (request body)",
@ -342,13 +330,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "revoke" + framework.OptionalParamRegex("urltoken"),
Pattern: "revoke",
Fields: map[string]*framework.FieldSchema{
"urltoken": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Token to revoke (URL parameter). Do not use this; use the POST version instead with the token in the body.",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke (request body)",
@ -364,13 +348,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "revoke-orphan" + framework.OptionalParamRegex("urltoken"),
Pattern: "revoke-orphan",
Fields: map[string]*framework.FieldSchema{
"urltoken": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Token to revoke (URL parameter). Do not use this; use the POST version instead with the token in the body.",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke (request body)",
@ -409,13 +389,9 @@ func (ts *TokenStore) paths() []*framework.Path {
},
{
Pattern: "renew" + framework.OptionalParamRegex("urltoken"),
Pattern: "renew",
Fields: map[string]*framework.FieldSchema{
"urltoken": &framework.FieldSchema{
Type: framework.TypeString,
Description: "DEPRECATED: Token to renew (URL parameter). Do not use this; use the POST version instead with the token in the body.",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to renew (request body)",
@ -1957,14 +1933,9 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
// handleUpdateLookupAccessor handles the auth/token/lookup-accessor path for returning
// the properties of the token associated with the accessor
func (ts *TokenStore) handleUpdateLookupAccessor(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urlaccessor bool
accessor := data.Get("accessor").(string)
if accessor == "" {
accessor = data.Get("urlaccessor").(string)
if accessor == "" {
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
urlaccessor = true
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
aEntry, err := ts.lookupByAccessor(ctx, accessor, false, false)
@ -2001,24 +1972,15 @@ func (ts *TokenStore) handleUpdateLookupAccessor(ctx context.Context, req *logic
resp.Data["id"] = ""
}
if urlaccessor {
resp.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
}
return resp, nil
}
// handleUpdateRevokeAccessor handles the auth/token/revoke-accessor path for revoking
// the token associated with the accessor
func (ts *TokenStore) handleUpdateRevokeAccessor(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urlaccessor bool
accessor := data.Get("accessor").(string)
if accessor == "" {
accessor = data.Get("urlaccessor").(string)
if accessor == "" {
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
urlaccessor = true
return nil, &logical.StatusBadRequest{Err: "missing accessor"}
}
aEntry, err := ts.lookupByAccessor(ctx, accessor, false, true)
@ -2053,12 +2015,6 @@ func (ts *TokenStore) handleUpdateRevokeAccessor(ctx context.Context, req *logic
return nil, err
}
if urlaccessor {
resp := &logical.Response{}
resp.AddWarning(`Using an accessor in the path is unsafe as the accessor can be logged in many places. Please use POST or PUT with the accessor passed in via the "accessor" parameter.`)
return resp, nil
}
return nil, nil
}
@ -2603,26 +2559,15 @@ func (ts *TokenStore) handleRevokeSelf(ctx context.Context, req *logical.Request
// in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
// the token and all children anyways, but that is only available when there is a lease.
func (ts *TokenStore) handleRevokeTree(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id == "" {
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
urltoken = true
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
if resp, err := ts.revokeCommon(ctx, req, data, id); resp != nil || err != nil {
return resp, err
}
if urltoken {
resp := &logical.Response{}
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
return resp, nil
}
return nil, nil
}
@ -2665,15 +2610,10 @@ func (ts *TokenStore) revokeCommon(ctx context.Context, req *logical.Request, da
// in a way that leaves child tokens orphaned. Normally, using sys/revoke/leaseID will revoke
// the token and all children.
func (ts *TokenStore) handleRevokeOrphan(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
// Parse the id
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id == "" {
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
urltoken = true
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
// Check if the client token has sudo/root privileges for the requested path
@ -2703,12 +2643,6 @@ func (ts *TokenStore) handleRevokeOrphan(ctx context.Context, req *logical.Reque
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
if urltoken {
resp := &logical.Response{}
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
return resp, nil
}
return nil, nil
}
@ -2720,14 +2654,7 @@ func (ts *TokenStore) handleLookupSelf(ctx context.Context, req *logical.Request
// handleLookup handles the auth/token/lookup/id path for querying information about
// a particular token. This can be used to see which policies are applicable.
func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id != "" {
urltoken = true
}
}
if id == "" {
id = req.ClientToken
}
@ -2829,10 +2756,6 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
}
}
if urltoken {
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
}
return resp, nil
}
@ -2844,14 +2767,9 @@ func (ts *TokenStore) handleRenewSelf(ctx context.Context, req *logical.Request,
// handleRenew handles the auth/token/renew/id path for renewal of tokens.
// This is used to prevent token expiration and revocation.
func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var urltoken bool
id := data.Get("token").(string)
if id == "" {
id = data.Get("urltoken").(string)
if id == "" {
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
urltoken = true
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
}
incrementRaw := data.Get("increment").(int)
@ -2876,10 +2794,6 @@ func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, dat
// Renew the token and its children
resp, err = ts.expiration.RenewToken(ctx, req, te, increment)
if urltoken {
resp.AddWarning(`Using a token in the path is unsafe as the token can be logged in many places. Please use POST or PUT with the token passed in via the "token" parameter.`)
}
return resp, err
}