Merge pull request #1461 from hashicorp/check-table-sanity

Add table/type checking to mounts table.

vault/audit.go

@@ -26,6 +26,10 @@ const (
 	// auditBarrierPrefix is the prefix to the UUID used in the
 	// barrier view for the audit backends.
 	auditBarrierPrefix = "audit/"
+
+	// auditTableType is the value we expect to find for the audit table and
+	// corresponding entries
+	auditTableType = "audit"
 )
 
 var (
@@ -146,6 +150,26 @@ func (c *Core) loadAudits() error {
 
 	// Done if we have restored the audit table
 	if c.audit != nil {
+		needPersist := false
+
+		// Upgrade to typed auth table
+		if c.audit.Type == "" {
+			c.audit.Type = auditTableType
+			needPersist = true
+		}
+
+		// Upgrade to table-scoped entries
+		for _, entry := range c.audit.Entries {
+			if entry.Table == "" {
+				entry.Table = c.audit.Type
+				needPersist = true
+			}
+		}
+
+		if needPersist {
+			return c.persistAudit(c.audit)
+		}
+
 		return nil
 	}
 
@@ -159,6 +183,25 @@ func (c *Core) loadAudits() error {
 
 // persistAudit is used to persist the audit table after modification
 func (c *Core) persistAudit(table *MountTable) error {
+	if table.Type != auditTableType {
+		c.logger.Printf(
+			"[ERR] core: given table to persist has type %s but need type %s",
+			table.Type,
+			auditTableType)
+		return fmt.Errorf("invalid table type given, not persisting")
+	}
+
+	for _, entry := range table.Entries {
+		if entry.Table != table.Type {
+			c.logger.Printf(
+				"[ERR] core: entry in audit table with path %s has table value %s but is in table %s, refusing to persist",
+				entry.Path,
+				entry.Table,
+				table.Type)
+			return fmt.Errorf("invalid audit entry found, not persisting")
+		}
+	}
+
 	// Marshal the table
 	raw, err := json.Marshal(table)
 	if err != nil {
@@ -240,7 +283,9 @@ func (c *Core) newAuditBackend(t string, view logical.Storage, conf map[string]s
 
 // defaultAuditTable creates a default audit table
 func defaultAuditTable() *MountTable {
-	table := &MountTable{}
+	table := &MountTable{
+		Type: auditTableType,
+	}
 	return table
 }
 

vault/audit_test.go

@@ -56,6 +56,7 @@ func TestCore_EnableAudit(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: auditTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -115,6 +116,7 @@ func TestCore_DisableAudit(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: auditTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -196,6 +198,9 @@ func verifyDefaultAuditTable(t *testing.T, table *MountTable) {
 	if len(table.Entries) != 0 {
 		t.Fatalf("bad: %v", table.Entries)
 	}
+	if table.Type != auditTableType {
+		t.Fatalf("bad: %v", *table)
+	}
 }
 
 func TestAuditBroker_LogRequest(t *testing.T) {

vault/auth.go

@@ -22,6 +22,10 @@ const (
 
 	// credentialRoutePrefix is the mount prefix used for the router
 	credentialRoutePrefix = "auth/"
+
+	// credentialTableType is the value we expect to find for the credential
+	// table and corresponding entries
+	credentialTableType = "auth"
 )
 
 var (
@@ -210,6 +214,26 @@ func (c *Core) loadCredentials() error {
 
 	// Done if we have restored the auth table
 	if c.auth != nil {
+		needPersist := false
+
+		// Upgrade to typed auth table
+		if c.auth.Type == "" {
+			c.auth.Type = credentialTableType
+			needPersist = true
+		}
+
+		// Upgrade to table-scoped entries
+		for _, entry := range c.auth.Entries {
+			if entry.Table == "" {
+				entry.Table = c.auth.Type
+				needPersist = true
+			}
+		}
+
+		if needPersist {
+			return c.persistAuth(c.auth)
+		}
+
 		return nil
 	}
 
@@ -224,6 +248,25 @@ func (c *Core) loadCredentials() error {
 
 // persistAuth is used to persist the auth table after modification
 func (c *Core) persistAuth(table *MountTable) error {
+	if table.Type != credentialTableType {
+		c.logger.Printf(
+			"[ERR] core: given table to persist has type %s but need type %s",
+			table.Type,
+			credentialTableType)
+		return fmt.Errorf("invalid table type given, not persisting")
+	}
+
+	for _, entry := range table.Entries {
+		if entry.Table != table.Type {
+			c.logger.Printf(
+				"[ERR] core: entry in auth table with path %s has table value %s but is in table %s, refusing to persist",
+				entry.Path,
+				entry.Table,
+				table.Type)
+			return fmt.Errorf("invalid auth entry found, not persisting")
+		}
+	}
+
 	// Marshal the table
 	raw, err := json.Marshal(table)
 	if err != nil {
@@ -341,12 +384,15 @@ func (c *Core) newCredentialBackend(
 
 // defaultAuthTable creates a default auth table
 func defaultAuthTable() *MountTable {
-	table := &MountTable{}
+	table := &MountTable{
+		Type: credentialTableType,
+	}
 	tokenUUID, err := uuid.GenerateUUID()
 	if err != nil {
 		panic(fmt.Sprintf("could not generate UUID for default auth table token entry: %v", err))
 	}
 	tokenAuth := &MountEntry{
+		Table:       credentialTableType,
 		Path:        "token/",
 		Type:        "token",
 		Description: "token based credentials",

vault/auth_test.go

@@ -41,6 +41,7 @@ func TestCore_EnableCredential(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: credentialTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -86,6 +87,7 @@ func TestCore_EnableCredential_twice_409(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: credentialTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -109,6 +111,7 @@ func TestCore_EnableCredential_twice_409(t *testing.T) {
 func TestCore_EnableCredential_Token(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)
 	me := &MountEntry{
+		Table: credentialTableType,
 		Path:  "foo",
 		Type:  "token",
 	}
@@ -130,6 +133,7 @@ func TestCore_DisableCredential(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: credentialTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -188,6 +192,7 @@ func TestCore_DisableCredential_Cleanup(t *testing.T) {
 	}
 
 	me := &MountEntry{
+		Table: credentialTableType,
 		Path:  "foo",
 		Type:  "noop",
 	}
@@ -260,6 +265,9 @@ func verifyDefaultAuthTable(t *testing.T, table *MountTable) {
 	if len(table.Entries) != 1 {
 		t.Fatalf("bad: %v", table.Entries)
 	}
+	if table.Type != credentialTableType {
+		t.Fatalf("bad: %v", *table)
+	}
 	for idx, entry := range table.Entries {
 		switch idx {
 		case 0:

vault/expiration_test.go

@@ -965,6 +965,7 @@ func TestExpiration_RevokeForce(t *testing.T) {
 
 	core.logicalBackends["badrenew"] = badRenewFactory
 	me := &MountEntry{
+		Table: mountTableType,
 		Path:  "badrenew/",
 		Type:  "badrenew",
 	}

vault/logical_system.go

@@ -720,6 +720,7 @@ func (b *SystemBackend) handleMount(
 
 	// Create the mount entry
 	me := &MountEntry{
+		Table:       mountTableType,
 		Path:        path,
 		Type:        logicalType,
 		Description: description,
@@ -1001,6 +1002,7 @@ func (b *SystemBackend) handleEnableAuth(
 
 	// Create the mount entry
 	me := &MountEntry{
+		Table:       credentialTableType,
 		Path:        path,
 		Type:        logicalType,
 		Description: description,
@@ -1169,6 +1171,7 @@ func (b *SystemBackend) handleEnableAudit(
 
 	// Create the mount entry
 	me := &MountEntry{
+		Table:       auditTableType,
 		Path:        path,
 		Type:        backendType,
 		Description: description,

vault/mount.go

@@ -25,6 +25,10 @@ const (
 	// systemBarrierPrefix is the prefix used for the
 	// system logical backend.
 	systemBarrierPrefix = "sys/"
+
+	// mountTableType is the value we expect to find for the mount table and
+	// corresponding entries
+	mountTableType = "mounts"
 )
 
 var (
@@ -55,6 +59,7 @@ var (
 
 // MountTable is used to represent the internal mount table
 type MountTable struct {
+	Type    string        `json:"type"`
 	Entries []*MountEntry `json:"entries"`
 }
 
@@ -64,6 +69,7 @@ type MountTable struct {
 // if modifying entries rather than modifying the table itself
 func (t *MountTable) ShallowClone() *MountTable {
 	mt := &MountTable{
+		Type:    t.Type,
 		Entries: make([]*MountEntry, len(t.Entries)),
 	}
 	for i, e := range t.Entries {
@@ -120,6 +126,7 @@ func (t *MountTable) Remove(path string) bool {
 
 // MountEntry is used to represent a mount table entry
 type MountEntry struct {
+	Table       string            `json:"table"`             // The table it belongs to
 	Path        string            `json:"path"`              // Mount Path
 	Type        string            `json:"type"`              // Logical backend Type
 	Description string            `json:"description"`       // User-provided description
@@ -142,6 +149,7 @@ func (e *MountEntry) Clone() *MountEntry {
 		optClone[k] = v
 	}
 	return &MountEntry{
+		Table:       e.Table,
 		Path:        e.Path,
 		Type:        e.Type,
 		Description: e.Description,
@@ -409,6 +417,13 @@ func (c *Core) loadMounts() error {
 	// by type only.
 	if c.mounts != nil {
 		needPersist := false
+
+		// Upgrade to typed mount table
+		if c.mounts.Type == "" {
+			c.mounts.Type = mountTableType
+			needPersist = true
+		}
+
 		for _, requiredMount := range requiredMountTable().Entries {
 			foundRequired := false
 			for _, coreMount := range c.mounts.Entries {
@@ -423,6 +438,14 @@ func (c *Core) loadMounts() error {
 			}
 		}
 
+		// Upgrade to table-scoped entries
+		for _, entry := range c.mounts.Entries {
+			if entry.Table == "" {
+				entry.Table = c.mounts.Type
+				needPersist = true
+			}
+		}
+
 		// Done if we have restored the mount table and we don't need
 		// to persist
 		if !needPersist {
@@ -441,6 +464,25 @@ func (c *Core) loadMounts() error {
 
 // persistMounts is used to persist the mount table after modification
 func (c *Core) persistMounts(table *MountTable) error {
+	if table.Type != mountTableType {
+		c.logger.Printf(
+			"[ERR] core: given table to persist has type %s but need type %s",
+			table.Type,
+			mountTableType)
+		return fmt.Errorf("invalid table type given, not persisting")
+	}
+
+	for _, entry := range table.Entries {
+		if entry.Table != table.Type {
+			c.logger.Printf(
+				"[ERR] core: entry in mount table with path %s has table value %s but is in table %s, refusing to persist",
+				entry.Path,
+				entry.Table,
+				table.Type)
+			return fmt.Errorf("invalid mount entry found, not persisting")
+		}
+	}
+
 	// Marshal the table
 	raw, err := json.Marshal(table)
 	if err != nil {
@@ -574,12 +616,15 @@ func (c *Core) mountEntrySysView(me *MountEntry) logical.SystemView {
 
 // defaultMountTable creates a default mount table
 func defaultMountTable() *MountTable {
-	table := &MountTable{}
+	table := &MountTable{
+		Type: mountTableType,
+	}
 	mountUUID, err := uuid.GenerateUUID()
 	if err != nil {
 		panic(fmt.Sprintf("could not create default mount table UUID: %v", err))
 	}
 	genericMount := &MountEntry{
+		Table:       mountTableType,
 		Path:        "secret/",
 		Type:        "generic",
 		Description: "generic secret storage",
@@ -593,12 +638,15 @@ func defaultMountTable() *MountTable {
 // requiredMountTable() creates a mount table with entries required
 // to be available
 func requiredMountTable() *MountTable {
-	table := &MountTable{}
+	table := &MountTable{
+		Type: mountTableType,
+	}
 	cubbyholeUUID, err := uuid.GenerateUUID()
 	if err != nil {
 		panic(fmt.Sprintf("could not create cubbyhole UUID: %v", err))
 	}
 	cubbyholeMount := &MountEntry{
+		Table:       mountTableType,
 		Path:        "cubbyhole/",
 		Type:        "cubbyhole",
 		Description: "per-token private secret storage",
@@ -610,6 +658,7 @@ func requiredMountTable() *MountTable {
 		panic(fmt.Sprintf("could not create sys UUID: %v", err))
 	}
 	sysMount := &MountEntry{
+		Table:       mountTableType,
 		Path:        "sys/",
 		Type:        "system",
 		Description: "system endpoints used for control, policy and debugging",

vault/mount_test.go

@@ -1,10 +1,12 @@
 package vault
 
 import (
+	"encoding/json"
 	"reflect"
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -38,6 +40,7 @@ func TestCore_DefaultMountTable(t *testing.T) {
 func TestCore_Mount(t *testing.T) {
 	c, key, _ := TestCoreUnsealed(t)
 	me := &MountEntry{
+		Table: mountTableType,
 		Path:  "foo",
 		Type:  "generic",
 	}
@@ -116,6 +119,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) {
 
 	// Mount the noop backend
 	me := &MountEntry{
+		Table: mountTableType,
 		Path:  "test/",
 		Type:  "noop",
 	}
@@ -233,6 +237,7 @@ func TestCore_Remount_Cleanup(t *testing.T) {
 
 	// Mount the noop backend
 	me := &MountEntry{
+		Table: mountTableType,
 		Path:  "test/",
 		Type:  "noop",
 	}
@@ -320,6 +325,143 @@ func TestDefaultMountTable(t *testing.T) {
 	verifyDefaultTable(t, table)
 }
 
+func TestCore_MountTable_UpgradeToTyped(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	c.auditBackends["noop"] = func(config *audit.BackendConfig) (audit.Backend, error) {
+		return &NoopAudit{
+			Config: config,
+		}, nil
+	}
+
+	me := &MountEntry{
+		Table: auditTableType,
+		Path:  "foo",
+		Type:  "noop",
+	}
+	err := c.enableAudit(me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	c.credentialBackends["noop"] = func(*logical.BackendConfig) (logical.Backend, error) {
+		return &NoopBackend{}, nil
+	}
+
+	me = &MountEntry{
+		Table: credentialTableType,
+		Path:  "foo",
+		Type:  "noop",
+	}
+	err = c.enableCredential(me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testCore_MountTable_UpgradeToTyped_Common(t, c, "mounts")
+	testCore_MountTable_UpgradeToTyped_Common(t, c, "audits")
+	testCore_MountTable_UpgradeToTyped_Common(t, c, "credentials")
+}
+
+func testCore_MountTable_UpgradeToTyped_Common(
+	t *testing.T,
+	c *Core,
+	testType string) {
+
+	var path string
+	var mt *MountTable
+	switch testType {
+	case "mounts":
+		path = coreMountConfigPath
+		mt = c.mounts
+	case "audits":
+		path = coreAuditConfigPath
+		mt = c.audit
+	case "credentials":
+		path = coreAuthConfigPath
+		mt = c.auth
+	}
+
+	// Save the expected table
+	goodJson, err := json.Marshal(mt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a pre-typed version
+	mt.Type = ""
+	for _, entry := range mt.Entries {
+		entry.Table = ""
+	}
+
+	raw, err := json.Marshal(mt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if reflect.DeepEqual(raw, goodJson) {
+		t.Fatalf("bad: values here should be different")
+	}
+
+	entry := &Entry{
+		Key:   path,
+		Value: raw,
+	}
+	if err := c.barrier.Put(entry); err != nil {
+		t.Fatal(err)
+	}
+
+	var persistFunc func(*MountTable) error
+
+	// It should load successfully and be upgraded and persisted
+	switch testType {
+	case "mounts":
+		err = c.loadMounts()
+		persistFunc = c.persistMounts
+		mt = c.mounts
+	case "credentials":
+		err = c.loadCredentials()
+		persistFunc = c.persistAuth
+		mt = c.auth
+	case "audits":
+		err = c.loadAudits()
+		persistFunc = c.persistAudit
+		mt = c.audit
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	entry, err = c.barrier.Get(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !reflect.DeepEqual(entry.Value, goodJson) {
+		t.Fatalf("bad: expected\n%s\ngot\n%s\n", string(goodJson), string(entry.Value))
+	}
+
+	// Now try saving invalid versions
+	origTableType := mt.Type
+	mt.Type = "foo"
+	if err := persistFunc(mt); err == nil {
+		t.Fatal("expected error")
+	}
+
+	if len(mt.Entries) > 0 {
+		mt.Type = origTableType
+		mt.Entries[0].Table = "bar"
+		if err := persistFunc(mt); err == nil {
+			t.Fatal("expected error")
+		}
+
+		mt.Entries[0].Table = mt.Type
+		if err := persistFunc(mt); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
 func verifyDefaultTable(t *testing.T, table *MountTable) {
 	if len(table.Entries) != 3 {
 		t.Fatalf("bad: %v", table.Entries)
@@ -348,6 +490,9 @@ func verifyDefaultTable(t *testing.T, table *MountTable) {
 				t.Fatalf("bad: %v", entry)
 			}
 		}
+		if entry.Table != mountTableType {
+			t.Fatalf("bad: %v", entry)
+		}
 		if entry.Description == "" {
 			t.Fatalf("bad: %v", entry)
 		}

vault/request_handling_test.go

@@ -15,6 +15,7 @@ func TestRequestHandling_Wrapping(t *testing.T) {
 
 	meUUID, _ := uuid.GenerateUUID()
 	err := core.mount(&MountEntry{
+		Table: mountTableType,
 		UUID:  meUUID,
 		Path:  "wraptest",
 		Type:  "generic",

vault/testing.go

@@ -167,6 +167,7 @@ func TestCoreWithTokenStore(t *testing.T) (*Core, *TokenStore, []byte, string) {
 	c, key, root := TestCoreUnsealed(t)
 
 	me := &MountEntry{
+		Table:       credentialTableType,
 		Path:        "token/",
 		Type:        "token",
 		Description: "token based credentials",
@@ -184,7 +185,7 @@ func TestCoreWithTokenStore(t *testing.T) (*Core, *TokenStore, []byte, string) {
 	ts := tokenstore.(*TokenStore)
 
 	router := NewRouter()
-	router.Mount(ts, "auth/token/", &MountEntry{UUID: ""}, ts.view)
+	router.Mount(ts, "auth/token/", &MountEntry{Table: credentialTableType, UUID: ""}, ts.view)
 
 	subview := c.systemBarrierView.SubView(expirationSubPath)
 	logger := log.New(os.Stderr, "", log.LstdFlags)