vault: prevent raw access to protected paths

vault/logical_system.go

@@ -1,6 +1,7 @@
 package vault
 
 import (
+	"fmt"
 	"strings"
 	"time"
 
@@ -8,6 +9,15 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )
 
+var (
+	// protectedPaths cannot be accessed via the raw APIs.
+	// This is both for security and to prevent disrupting Vault.
+	protectedPaths = []string{
+		barrierInitPath,
+		keyringPath,
+	}
+)
+
 func NewSystemBackend(core *Core) logical.Backend {
 	b := &SystemBackend{Core: core}
 	b.Backend = &framework.Backend{
@@ -652,6 +662,15 @@ func (b *SystemBackend) handleDisableAudit(
 func (b *SystemBackend) handleRawRead(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	path := data.Get("path").(string)
+
+	// Prevent access of protected paths
+	for _, p := range protectedPaths {
+		if strings.HasPrefix(path, p) {
+			err := fmt.Sprintf("cannot read '%s'", path)
+			return logical.ErrorResponse(err), logical.ErrInvalidRequest
+		}
+	}
+
 	entry, err := b.Core.barrier.Get(path)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
@@ -671,6 +690,15 @@ func (b *SystemBackend) handleRawRead(
 func (b *SystemBackend) handleRawWrite(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	path := data.Get("path").(string)
+
+	// Prevent access of protected paths
+	for _, p := range protectedPaths {
+		if strings.HasPrefix(path, p) {
+			err := fmt.Sprintf("cannot write '%s'", path)
+			return logical.ErrorResponse(err), logical.ErrInvalidRequest
+		}
+	}
+
 	value := data.Get("value").(string)
 	entry := &Entry{
 		Key:   path,
@@ -686,6 +714,15 @@ func (b *SystemBackend) handleRawWrite(
 func (b *SystemBackend) handleRawDelete(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	path := data.Get("path").(string)
+
+	// Prevent access of protected paths
+	for _, p := range protectedPaths {
+		if strings.HasPrefix(path, p) {
+			err := fmt.Sprintf("cannot delete '%s'", path)
+			return logical.ErrorResponse(err), logical.ErrInvalidRequest
+		}
+	}
+
 	if err := b.Core.barrier.Delete(path); err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}

vault/logical_system_test.go

@@ -600,6 +600,16 @@ func TestSystemBackend_disableAudit_invalid(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_rawRead_Protected(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.ReadOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
 func TestSystemBackend_rawRead(t *testing.T) {
 	b := testSystemBackend(t)
 
@@ -613,6 +623,16 @@ func TestSystemBackend_rawRead(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_rawWrite_Protected(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.WriteOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
 func TestSystemBackend_rawWrite(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)
 
@@ -639,6 +659,16 @@ func TestSystemBackend_rawWrite(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_rawDelete_Protected(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.DeleteOperation, "raw/"+keyringPath)
+	_, err := b.HandleRequest(req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+}
+
 func TestSystemBackend_rawDelete(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)