luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response (#17855) 

* VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response

* VAULT-8703 add changelog

* VAULT-8703 fix append
This commit is contained in:
Violet Hynes 2022-11-09 11:04:36 -05:00 committed by GitHub
parent 06f30de35f
commit 65e8eee0ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 131 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
api/sys_seal.go
View File

@ -93,22 +93,23 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
}
type SealStatusResponse struct {
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
type UnsealOpts struct {

3
changelog/17855.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
core: Added warning to /sys/seal-status and vault status command if potentially dangerous behaviour overrides are being used.
```

3
command/format.go
View File

@ -402,6 +402,9 @@ func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, da
if status.LastWAL != 0 {
out = append(out, fmt.Sprintf("Last WAL | %d", status.LastWAL))
}
if len(status.Warnings) > 0 {
out = append(out, fmt.Sprintf("Warnings | %v", status.Warnings))
}
ui.Output(tableOutput(out, &columnize.Config{
Delim: "|",

4
command/format_test.go
View File

@ -118,7 +118,8 @@ Cluster ID cluster id
HA Enabled true
Raft Committed Index 3
Raft Applied Index 4
Last WAL 2`
Last WAL 2
Warnings [warning]`
if expectedOutputString != output {
fmt.Printf("%s\n%+v\n %s\n%+v\n", "output found was: ", output, "versus", expectedOutputString)
@ -174,6 +175,7 @@ func getMockStatusData(emptyFields bool) SealStatusOutput {
ClusterID: "cluster id",
RecoverySeal: true,
StorageType: "storage type",
Warnings: []string{"warning"},
}
// must initialize this struct without explicit field names due to embedding

74
http/sys_seal_test.go
View File

@ -60,6 +60,80 @@ func TestSysSealStatus(t *testing.T) {
}
}
func TestSysSealStatus_Warnings(t *testing.T) {
core := vault.TestCore(t)
vault.TestCoreInit(t, core)
ln, addr := TestServer(t, core)
defer ln.Close()
// Manually configure DisableSSCTokens to be true
core.GetCoreConfigInternal().DisableSSCTokens = true
resp, err := http.Get(addr + "/v1/sys/seal-status")
if err != nil {
t.Fatalf("err: %s", err)
}
var actual map[string]interface{}
expected := map[string]interface{}{
"sealed": true,
"t": json.Number("3"),
"n": json.Number("3"),
"progress": json.Number("0"),
"nonce": "",
"type": "shamir",
"recovery_seal": false,
"initialized": true,
"migration": false,
"build_date": version.BuildDate,
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if actual["version"] == nil {
t.Fatalf("expected version information")
}
expected["version"] = actual["version"]
if actual["cluster_name"] == nil {
delete(expected, "cluster_name")
} else {
expected["cluster_name"] = actual["cluster_name"]
}
if actual["cluster_id"] == nil {
delete(expected, "cluster_id")
} else {
expected["cluster_id"] = actual["cluster_id"]
}
actualWarnings := actual["warnings"]
if actualWarnings == nil {
t.Fatalf("expected warnings about SSCToken disabling")
}
actualWarningsArray, ok := actualWarnings.([]interface{})
if !ok {
t.Fatalf("expected warnings about SSCToken disabling were not in the right format")
}
if len(actualWarningsArray) != 1 {
t.Fatalf("too many warnings were given")
}
actualWarning, ok := actualWarningsArray[0].(string)
if !ok {
t.Fatalf("expected warning about SSCToken disabling was not in the right format")
}
expectedWarning := "Server Side Consistent Tokens are disabled, due to the " +
"VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. " +
"It is not recommended to run Vault for an extended period of time with this configuration."
if actualWarning != expectedWarning {
t.Fatalf("actual warning was not as expected. Expected %s, but got %s", expectedWarning, actualWarning)
}
expected["warnings"] = actual["warnings"]
if diff := deep.Equal(actual, expected); diff != nil {
t.Fatal(diff)
}
}
func TestSysSealStatus_uninit(t *testing.T) {
core := vault.TestCore(t)
ln, addr := TestServer(t, core)

47
vault/logical_system.go
View File

@ -4529,22 +4529,36 @@ func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Re
}
type SealStatusResponse struct {
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
// getStatusWarnings exposes potentially dangerous overrides in the status response
// currently, this only warns about VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS,
// but should be extended to report more warnings where appropriate
func (core *Core) getStatusWarnings() []string {
var warnings []string
if core.GetCoreConfigInternal() != nil && core.GetCoreConfigInternal().DisableSSCTokens {
warnings = append(warnings, "Server Side Consistent Tokens are disabled, due to the "+
"VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. "+
"It is not recommended to run Vault for an extended period of time with this configuration.")
}
return warnings
}
func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error) {
@ -4617,6 +4631,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
ClusterID: clusterID,
RecoverySeal: core.SealAccess().RecoveryKeySupported(),
StorageType: core.StorageType(),
Warnings: core.getStatusWarnings(),
}
if resourceIDonHCP != "" {