Add some extra safety checking in accessor listing and update website

docs.
2016-08-01 13:07:41 -04:00 · 2016-08-01 13:07:41 -04:00 · 357f2d972f
parent 6546005487
commit 357f2d972f
3 changed files with 66 additions and 2 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -129,6 +129,9 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 				Callbacks: map[logical.Operation]framework.OperationFunc{
 					logical.ListOperation: t.tokenStoreAccessorList,
 				},
+
+				HelpSynopsis:    tokenListAccessorsHelp,
+				HelpDescription: tokenListAccessorsHelp,
 			},

 			&framework.Path{
@ -540,7 +543,11 @@ func (ts *TokenStore) tokenStoreAccessorList(
 			resp.AddWarning("Found an accessor entry that could not be successfully decoded")
 			continue
 		}
-		ret = append(ret, aEntry.AccessorID)
+		if aEntry.TokenID == "" {
+			resp.AddWarning(fmt.Sprintf("Found an accessor entry missing a token: %v", aEntry.AccessorID))
+		} else {
+			ret = append(ret, aEntry.AccessorID)
+		}
 	}

 	resp.Data = map[string]interface{}{
@ -917,7 +924,14 @@ func (ts *TokenStore) lookupBySaltedAccessor(saltedAccessor string) (accessorEnt
 		if err != nil {
 			return accessorEntry{}, fmt.Errorf("failed to look up token using accessor index: %s", err)
 		}
-		aEntry.AccessorID = te.Accessor
+		// It's hard to reason about what to do here -- it may be that the
+		// token was revoked async, or that it's an old accessor index entry
+		// that was somehow not cleared up, or or or. A nonexistent token entry
+		// on lookup is nil, not an error, so we keep that behavior here to be
+		// safe...the token ID is simply not filled in.
+		if te != nil {
+			aEntry.AccessorID = te.Accessor
+		}
 	}

 	return aEntry, nil
@ -1766,4 +1780,10 @@ no effect on the token being renewed.`
 	tokenRenewableHelp = `Tokens created via this role will be
 renewable or not according to this value.
 Defaults to "true".`
+	tokenListAccessorsHelp = `List token accessors, which can then be
+be used to iterate and discover their properities
+or revoke them. Because this can be used to
+cause a denial of service, this endpoint
+requires 'sudo' capability in addition to
+'list'.`
 )
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -139,6 +139,9 @@ func TestTokenStore_HandleRequest_ListAccessors(t *testing.T) {
 	if len(keys) != len(testKeys) {
 		t.Fatalf("wrong number of accessors found")
 	}
+	if len(resp.Warnings()) != 0 {
+		t.Fatalf("got warnings:\n%#v", resp.Warnings())
+	}

 	// Test upgrade from old struct method of accessor storage (of token id)
 	for _, accessor := range keys {
@ -171,6 +174,9 @@ func TestTokenStore_HandleRequest_ListAccessors(t *testing.T) {
 	if len(keys) != len(testKeys) {
 		t.Fatalf("wrong number of accessors found")
 	}
+	if len(resp.Warnings()) != 0 {
+		t.Fatalf("got warnings:\n%#v", resp.Warnings())
+	}

 	for _, accessor := range keys2 {
 		aEntry, err := ts.lookupByAccessor(accessor)
--- a/website/source/docs/auth/token.html.md
+++ b/website/source/docs/auth/token.html.md
@ -40,6 +40,44 @@ of the header should be "X-Vault-Token" and the value should be the token.

 ## API

+### /auth/token/accessors
+#### LIST or GET 
+
+<dl class="api">
+  <dt>Description</dt>
+  <dd>
+    Lists token accessors. This requires `sudo` capability, and access to it
+    should be tightly controlled as the accessors can be used to revoke very
+    large numbers of tokens and their associated leases at once.
+  </dd>
+
+  <dt>Method</dt>
+  <dd>LIST or GET</dd>
+
+  <dt>URL</dt>
+  <dd>`/auth/token/accessors` (LIST)<dd>
+  <dd>`/auth/token/accessors?list=true` (GET)<dd>
+
+  <dt>Parameters</dt>
+  <dd>
+    None
+  </dd>
+
+  <dt>Returns</dt>
+  <dd>
+
+    ```javascript
+    {
+      "data": {
+        "keys": ["476ea048-ded5-4d07-eeea-938c6b4e43ec", "bb00c093-b7d3-b0e9-69cc-c4d85081165b"]
+      }
+    }
+    ```
+
+  </dd>
+</dl>
+
+
 ### /auth/token/create
 ### /auth/token/create-orphan
 ### /auth/token/create/[role_name]