core: port over CG and perf standby handling bits (#6530)

2019-04-03 14:16:49 -07:00 · 2019-04-03 14:16:49 -07:00 · ee46fd4362
parent eed91ba84d
commit ee46fd4362
2 changed files with 21 additions and 0 deletions
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -352,6 +352,23 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool

 	if !authResults.Allowed {
 		retErr := authResults.Error
+
+		// If we get a control group error and we are a performance standby,
+		// restore the client token information to the request so that we can
+		// forward this request properly to the active node.
+		if retErr.ErrorOrNil() != nil && checkErrControlGroupTokenNeedsCreated(retErr) &&
+			c.perfStandby && len(req.ClientToken) != 0 {
+			switch req.ClientTokenSource {
+			case logical.ClientTokenFromVaultHeader:
+				req.Headers[consts.AuthHeaderName] = []string{req.ClientToken}
+			case logical.ClientTokenFromAuthzHeader:
+				req.Headers["Authorization"] = append(req.Headers["Authorization"], fmt.Sprintf("Bearer %s", req.ClientToken))
+			}
+			// We also return the appropriate error so that the caller can forward the
+			// request to the active node
+			return auth, te, logical.ErrPerfStandbyPleaseForward
+		}
+
 		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
 			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
 		}
--- a/vault/request_handling_util.go
+++ b/vault/request_handling_util.go
@ -15,6 +15,10 @@ func checkNeedsCG(context.Context, *Core, *logical.Request, *logical.Auth, error
 	return nil, nil, nil, nil
 }

+func checkErrControlGroupTokenNeedsCreated(err error) bool {
+	return false
+}
+
 func shouldForward(c *Core, routeErr error) bool {
 	return false
 }