OSS PR for Config Changes PR (#18418)

* OSS PR for Config Changes PR

* Edited tests

* typo

* Added changelog

* Remove changelog

command/server.go

@@ -1592,7 +1592,7 @@ func (c *ServerCommand) Run(args []string) int {
 			}
 
 		RUNRELOADFUNCS:
-			if err := c.Reload(c.reloadFuncsLock, c.reloadFuncs, c.flagConfigs); err != nil {
+			if err := c.Reload(c.reloadFuncsLock, c.reloadFuncs, c.flagConfigs, core); err != nil {
 				c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
 			}
 
@@ -2089,7 +2089,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
 		case <-c.SighupCh:
 			c.UI.Output("==> Vault reload triggered")
 			for _, core := range testCluster.Cores {
-				if err := c.Reload(core.ReloadFuncsLock, core.ReloadFuncs, nil); err != nil {
+				if err := c.Reload(core.ReloadFuncsLock, core.ReloadFuncs, nil, core.Core); err != nil {
 					c.UI.Error(fmt.Sprintf("Error(s) were encountered during reload: %s", err))
 				}
 			}
@@ -2207,7 +2207,7 @@ func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
 	return url.String(), nil
 }
 
-func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string) error {
+func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string, core *vault.Core) error {
 	lock.RLock()
 	defer lock.RUnlock()
 
@@ -2235,6 +2235,9 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
 		}
 	}
 
+	// Set Introspection Endpoint to enabled with new value in the config after reload
+	core.ReloadIntrospectionEndpointEnabled()
+
 	// Send a message that we reloaded. This prevents "guessing" sleep times
 	// in tests.
 	select {
@@ -2628,6 +2631,7 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 		PluginFilePermissions:          config.PluginFilePermissions,
 		EnableUI:                       config.EnableUI,
 		EnableRaw:                      config.EnableRawEndpoint,
+		EnableIntrospection:            config.EnableIntrospectionEndpoint,
 		DisableSealWrap:                config.DisableSealWrap,
 		DisablePerformanceStandby:      config.DisablePerformanceStandby,
 		DisableIndexing:                config.DisableIndexing,
@@ -2646,6 +2650,7 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 
 	if c.flagDev {
 		coreConfig.EnableRaw = true
+		coreConfig.EnableIntrospection = true
 		coreConfig.DevToken = c.flagDevRootTokenID
 		if c.flagDevLeasedKV {
 			coreConfig.LogicalBackends["kv"] = vault.LeasedPassthroughBackendFactory

command/server/config.go

@@ -68,6 +68,9 @@ type Config struct {
 	PluginFilePermissions    int         `hcl:"-"`
 	PluginFilePermissionsRaw interface{} `hcl:"plugin_file_permissions,alias:PluginFilePermissions"`
 
+	EnableIntrospectionEndpoint    bool        `hcl:"-"`
+	EnableIntrospectionEndpointRaw interface{} `hcl:"introspection_endpoint,alias:EnableIntrospectionEndpoint"`
+
 	EnableRawEndpoint    bool        `hcl:"-"`
 	EnableRawEndpointRaw interface{} `hcl:"raw_storage_endpoint,alias:EnableRawEndpoint"`
 
@@ -322,6 +325,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.EnableRawEndpoint = c2.EnableRawEndpoint
 	}
 
+	result.EnableIntrospectionEndpoint = c.EnableIntrospectionEndpoint
+	if c2.EnableIntrospectionEndpoint {
+		result.EnableIntrospectionEndpoint = c2.EnableIntrospectionEndpoint
+	}
+
 	result.APIAddr = c.APIAddr
 	if c2.APIAddr != "" {
 		result.APIAddr = c2.APIAddr
@@ -573,6 +581,12 @@ func ParseConfig(d, source string) (*Config, error) {
 		}
 	}
 
+	if result.EnableIntrospectionEndpointRaw != nil {
+		if result.EnableIntrospectionEndpoint, err = parseutil.ParseBool(result.EnableIntrospectionEndpointRaw); err != nil {
+			return nil, err
+		}
+	}
+
 	if result.DisableClusteringRaw != nil {
 		if result.DisableClustering, err = parseutil.ParseBool(result.DisableClusteringRaw); err != nil {
 			return nil, err
@@ -994,6 +1008,8 @@ func (c *Config) Sanitized() map[string]interface{} {
 
 		"raw_storage_endpoint": c.EnableRawEndpoint,
 
+		"introspection_endpoint": c.EnableIntrospectionEndpoint,
+
 		"api_addr":           c.APIAddr,
 		"cluster_addr":       c.ClusterAddr,
 		"disable_clustering": c.DisableClustering,

command/server/config_test_helpers.go

@@ -452,6 +452,9 @@ func testLoadConfigFile(t *testing.T) {
 		EnableRawEndpoint:    true,
 		EnableRawEndpointRaw: true,
 
+		EnableIntrospectionEndpoint:    true,
+		EnableIntrospectionEndpointRaw: true,
+
 		DisableSealWrap:    true,
 		DisableSealWrapRaw: true,
 
@@ -740,6 +743,7 @@ func testConfig_Sanitized(t *testing.T) {
 		"disable_printable_check":             false,
 		"disable_sealwrap":                    true,
 		"raw_storage_endpoint":                true,
+		"introspection_endpoint":              false,
 		"disable_sentinel_trace":              true,
 		"enable_ui":                           true,
 		"enable_response_header_hostname":     false,

command/server/test-fixtures/config.hcl

@@ -43,6 +43,7 @@ default_lease_ttl = "10h"
 cluster_name = "testcluster"
 pid_file = "./pidfile"
 raw_storage_endpoint = true
+introspection_endpoint = true
 disable_sealwrap = true
 disable_printable_check = true
 enable_response_header_hostname = true

http/sys_config_state_test.go

@@ -39,6 +39,7 @@ func TestSysConfigState_Sanitized(t *testing.T) {
 		"disable_printable_check":             false,
 		"disable_sealwrap":                    false,
 		"raw_storage_endpoint":                false,
+		"introspection_endpoint":              false,
 		"disable_sentinel_trace":              false,
 		"enable_ui":                           false,
 		"log_format":                          "",

vault/core.go

@@ -121,6 +121,10 @@ var (
 	// in an HA setting
 	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")
 
+	// ErrIntrospectionNotEnabled is returned if "introspection_endpoint" is not
+	// enabled in the configuration file
+	ErrIntrospectionNotEnabled = errors.New("The Vault configuration must set \"introspection_endpoint\" to true to enable this endpoint")
+
 	// manualStepDownSleepPeriod is how long to sleep after a user-initiated
 	// step down of the active node, to prevent instantly regrabbing the lock.
 	// It's var not const so that tests can manipulate it.
@@ -512,6 +516,10 @@ type Core struct {
 	// rawEnabled indicates whether the Raw endpoint is enabled
 	rawEnabled bool
 
+	// inspectableEnabled indicates whether the Inspect endpoint is enabled
+	introspectionEnabled     bool
+	introspectionEnabledLock sync.Mutex
+
 	// pluginDirectory is the location vault will look for plugin binaries
 	pluginDirectory string
 
@@ -736,6 +744,9 @@ type CoreConfig struct {
 	// Enable the raw endpoint
 	EnableRaw bool
 
+	// Enable the introspection endpoint
+	EnableIntrospection bool
+
 	PluginDirectory string
 
 	PluginFileUid int
@@ -910,6 +921,7 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		clusterPeerClusterAddrsCache:   cache.New(3*clusterHeartbeatInterval, time.Second),
 		enableMlock:                    !conf.DisableMlock,
 		rawEnabled:                     conf.EnableRaw,
+		introspectionEnabled:           conf.EnableIntrospection,
 		shutdownDoneCh:                 new(atomic.Value),
 		replicationState:               new(uint32),
 		atomicPrimaryClusterAddrs:      new(atomic.Value),
@@ -3436,6 +3448,16 @@ func (c *Core) ReloadLogRequestsLevel() {
 	}
 }
 
+func (c *Core) ReloadIntrospectionEndpointEnabled() {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return
+	}
+	c.introspectionEnabledLock.Lock()
+	defer c.introspectionEnabledLock.Unlock()
+	c.introspectionEnabled = conf.(*server.Config).EnableIntrospectionEndpoint
+}
+
 type PeerNode struct {
 	Hostname       string    `json:"hostname"`
 	APIAddress     string    `json:"api_address"`

vault/external_tests/api/sudo_paths_test.go

@@ -25,10 +25,11 @@ func TestSudoPaths(t *testing.T) {
 	t.Parallel()
 
 	coreConfig := &vault.CoreConfig{
-		DisableMlock: true,
-		DisableCache: true,
-		EnableRaw:    true,
-		Logger:       log.NewNullLogger(),
+		DisableMlock:        true,
+		DisableCache:        true,
+		EnableRaw:           true,
+		EnableIntrospection: true,
+		Logger:              log.NewNullLogger(),
 		CredentialBackends: map[string]logical.Factory{
 			"userpass": credUserpass.Factory,
 		},

vault/inspectable_test.go

@@ -4,13 +4,17 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func TestInspectRouter(t *testing.T) {
 	// Verify that all the expected tables exist when we inspect the router
-	c, _, root := TestCoreUnsealed(t)
+	coreConfig := &CoreConfig{
+		EnableIntrospection: true,
+	}
+	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
 
 	rootCtx := namespace.RootContext(nil)
 	subTrees := map[string][]string{
@@ -50,7 +54,10 @@ func TestInspectRouter(t *testing.T) {
 
 func TestInvalidInspectRouterPath(t *testing.T) {
 	// Verify that attempting to inspect an invalid tree in the router fails
-	core, _, rootToken := testCoreSystemBackend(t)
+	coreConfig := &CoreConfig{
+		EnableIntrospection: true,
+	}
+	core, _, rootToken := TestCoreUnsealedWithConfig(t, coreConfig)
 	rootCtx := namespace.RootContext(nil)
 	_, err := core.HandleRequest(rootCtx, &logical.Request{
 		ClientToken: rootToken,
@@ -62,6 +69,23 @@ func TestInvalidInspectRouterPath(t *testing.T) {
 	}
 }
 
+func TestInspectAPIDisabled(t *testing.T) {
+	// Verify that the Inspect API is turned off by default
+	core, _, rootToken := testCoreSystemBackend(t)
+	rootCtx := namespace.RootContext(nil)
+	resp, err := core.HandleRequest(rootCtx, &logical.Request{
+		ClientToken: rootToken,
+		Operation:   logical.ReadOperation,
+		Path:        "sys/internal/inspect/router/root",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !resp.IsError() || !strings.Contains(resp.Error().Error(), ErrIntrospectionNotEnabled.Error()) {
+		t.Fatal("expected invalid configuration error")
+	}
+}
+
 func TestInspectAPISudoProtect(t *testing.T) {
 	// Verify that the Inspect API path is sudo protected
 	core, _, rootToken := testCoreSystemBackend(t)
@@ -76,3 +100,41 @@ func TestInspectAPISudoProtect(t *testing.T) {
 		t.Fatal("expected permission denied error")
 	}
 }
+
+func TestInspectAPIReload(t *testing.T) {
+	// Verify that the Inspect API is turned off by default
+	core, _, rootToken := testCoreSystemBackend(t)
+	rootCtx := namespace.RootContext(nil)
+	resp, err := core.HandleRequest(rootCtx, &logical.Request{
+		ClientToken: rootToken,
+		Operation:   logical.ReadOperation,
+		Path:        "sys/internal/inspect/router/root",
+	})
+	if err != nil {
+		t.Fatal("Unexpected error")
+	}
+	if !resp.IsError() {
+		t.Fatal("expected invalid configuration error")
+	}
+	if !strings.Contains(resp.Error().Error(), ErrIntrospectionNotEnabled.Error()) {
+		t.Fatalf("expected invalid configuration error but recieved: %s", resp.Error())
+	}
+
+	originalConfig := core.rawConfig.Load().(*server.Config)
+	newConfig := originalConfig
+	newConfig.EnableIntrospectionEndpointRaw = true
+	newConfig.EnableIntrospectionEndpoint = true
+
+	// Reload Endpoint
+	core.SetConfig(newConfig)
+	core.ReloadIntrospectionEndpointEnabled()
+
+	resp, err = core.HandleRequest(rootCtx, &logical.Request{
+		ClientToken: rootToken,
+		Operation:   logical.ReadOperation,
+		Path:        "sys/internal/inspect/router/root",
+	})
+	if err != nil || resp.IsError() {
+		t.Fatal("Unexpected error after reload")
+	}
+}

vault/logical_system.go

@@ -191,11 +191,11 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
 	b.Backend.Paths = append(b.Backend.Paths, b.quotasPaths()...)
 	b.Backend.Paths = append(b.Backend.Paths, b.rootActivityPaths()...)
 	b.Backend.Paths = append(b.Backend.Paths, b.loginMFAPaths()...)
+	b.Backend.Paths = append(b.Backend.Paths, b.introspectionPaths()...)
 
 	if core.rawEnabled {
 		b.Backend.Paths = append(b.Backend.Paths, b.rawPaths()...)
 	}
-
 	if backend := core.getRaftBackend(); backend != nil {
 		b.Backend.Paths = append(b.Backend.Paths, b.raftStoragePaths()...)
 	}
@@ -4308,17 +4308,22 @@ func (b *SystemBackend) pathInternalCountersEntities(ctx context.Context, req *l
 }
 
 func (b *SystemBackend) pathInternalInspectRouter(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	tag := d.Get("tag").(string)
-	inspectableRouter, err := b.Core.router.GetRecords(tag)
-	if err != nil {
-		return nil, err
+	b.Core.introspectionEnabledLock.Lock()
+	defer b.Core.introspectionEnabledLock.Unlock()
+	if b.Core.introspectionEnabled {
+		tag := d.Get("tag").(string)
+		inspectableRouter, err := b.Core.router.GetRecords(tag)
+		if err != nil {
+			return nil, err
+		}
+		resp := &logical.Response{
+			Data: map[string]interface{}{
+				tag: inspectableRouter,
+			},
+		}
+		return resp, nil
 	}
-	resp := &logical.Response{
-		Data: map[string]interface{}{
-			tag: inspectableRouter,
-		},
-	}
-	return resp, nil
+	return logical.ErrorResponse(ErrIntrospectionNotEnabled.Error()), nil
 }
 
 func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {

vault/logical_system_paths.go

@@ -1071,6 +1071,11 @@ func (b *SystemBackend) internalPaths() []*framework.Path {
 			HelpSynopsis:    strings.TrimSpace(sysHelp["internal-counters-entities"][0]),
 			HelpDescription: strings.TrimSpace(sysHelp["internal-counters-entities"][1]),
 		},
+	}
+}
+
+func (b *SystemBackend) introspectionPaths() []*framework.Path {
+	return []*framework.Path{
 		{
 			Pattern: "internal/inspect/router/" + framework.GenericNameRegex("tag"),
 			Fields: map[string]*framework.FieldSchema{

vault/testing.go

@@ -201,6 +201,7 @@ func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core {
 	// Override config values with ones that gets passed in
 	conf.EnableUI = opts.EnableUI
 	conf.EnableRaw = opts.EnableRaw
+	conf.EnableIntrospection = opts.EnableIntrospection
 	conf.Seal = opts.Seal
 	conf.LicensingConfig = opts.LicensingConfig
 	conf.DisableKeyEncodingChecks = opts.DisableKeyEncodingChecks