Vault UI is not available in this binary.
To get Vault UI do one of the following:
- Download an official release
- Run
make bin
to create your own release binaries. - Run
make dev-ui
to create a development binary with the UI.
// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 package http import ( "bytes" "context" "encoding/json" "errors" "fmt" "io" "io/fs" "io/ioutil" "mime" "net" "net/http" "net/http/pprof" "net/textproto" "net/url" "os" "regexp" "strings" "time" "github.com/NYTimes/gziphandler" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/pathmanager" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" ) const ( // WrapTTLHeaderName is the name of the header containing a directive to // wrap the response WrapTTLHeaderName = "X-Vault-Wrap-TTL" // WrapFormatHeaderName is the name of the header containing the format to // wrap in; has no effect if the wrap TTL is not set WrapFormatHeaderName = "X-Vault-Wrap-Format" // NoRequestForwardingHeaderName is the name of the header telling Vault // not to use request forwarding NoRequestForwardingHeaderName = "X-Vault-No-Request-Forwarding" // MFAHeaderName represents the HTTP header which carries the credentials // required to perform MFA on any path. MFAHeaderName = "X-Vault-MFA" // canonicalMFAHeaderName is the MFA header value's format in the request // headers. Do not alter the casing of this string. canonicalMFAHeaderName = "X-Vault-Mfa" // PolicyOverrideHeaderName is the header set to request overriding // soft-mandatory Sentinel policies. PolicyOverrideHeaderName = "X-Vault-Policy-Override" VaultIndexHeaderName = "X-Vault-Index" VaultInconsistentHeaderName = "X-Vault-Inconsistent" VaultForwardHeaderName = "X-Vault-Forward" VaultInconsistentForward = "forward-active-node" VaultInconsistentFail = "fail" // DefaultMaxRequestSize is the default maximum accepted request size. This // is to prevent a denial of service attack where no Content-Length is // provided and the server is fed ever more data until it exhausts memory. // Can be overridden per listener. DefaultMaxRequestSize = 32 * 1024 * 1024 ) var ( // Set to false by stub_asset if the ui build tag isn't enabled uiBuiltIn = true // perfStandbyAlwaysForwardPaths is used to check a requested path against // the always forward list perfStandbyAlwaysForwardPaths = pathmanager.New() alwaysRedirectPaths = pathmanager.New() injectDataIntoTopRoutes = []string{ "/v1/sys/audit", "/v1/sys/audit/", "/v1/sys/audit-hash/", "/v1/sys/auth", "/v1/sys/auth/", "/v1/sys/config/cors", "/v1/sys/config/auditing/request-headers/", "/v1/sys/config/auditing/request-headers", "/v1/sys/capabilities", "/v1/sys/capabilities-accessor", "/v1/sys/capabilities-self", "/v1/sys/ha-status", "/v1/sys/key-status", "/v1/sys/mounts", "/v1/sys/mounts/", "/v1/sys/policy", "/v1/sys/policy/", "/v1/sys/rekey/backup", "/v1/sys/rekey/recovery-key-backup", "/v1/sys/remount", "/v1/sys/rotate", "/v1/sys/wrapping/wrap", } oidcProtectedPathRegex = regexp.MustCompile(`^identity/oidc/provider/\w(([\w-.]+)?\w)?/userinfo$`) ) func init() { alwaysRedirectPaths.AddPaths([]string{ "sys/storage/raft/snapshot", "sys/storage/raft/snapshot-force", "!sys/storage/raft/snapshot-auto/config", }) } type HandlerAnchor struct{} func (h HandlerAnchor) Handler(props *vault.HandlerProperties) http.Handler { return handler(props) } var Handler vault.HandlerHandler = HandlerAnchor{} type HandlerFunc func(props *vault.HandlerProperties) http.Handler func (h HandlerFunc) Handler(props *vault.HandlerProperties) http.Handler { return h(props) } var _ vault.HandlerHandler = HandlerFunc(func(props *vault.HandlerProperties) http.Handler { return nil }) // handler returns an http.Handler for the API. This can be used on // its own to mount the Vault API within another web server. func handler(props *vault.HandlerProperties) http.Handler { core := props.Core // Create the muxer to handle the actual endpoints mux := http.NewServeMux() switch { case props.RecoveryMode: raw := vault.NewRawBackend(core) strategy := vault.GenerateRecoveryTokenStrategy(props.RecoveryToken) mux.Handle("/v1/sys/raw/", handleLogicalRecovery(raw, props.RecoveryToken)) mux.Handle("/v1/sys/generate-recovery-token/attempt", handleSysGenerateRootAttempt(core, strategy)) mux.Handle("/v1/sys/generate-recovery-token/update", handleSysGenerateRootUpdate(core, strategy)) default: // Handle non-forwarded paths mux.Handle("/v1/sys/config/state/", handleLogicalNoForward(core)) mux.Handle("/v1/sys/host-info", handleLogicalNoForward(core)) mux.Handle("/v1/sys/init", handleSysInit(core)) mux.Handle("/v1/sys/seal-status", handleSysSealStatus(core)) mux.Handle("/v1/sys/seal", handleSysSeal(core)) mux.Handle("/v1/sys/step-down", handleRequestForwarding(core, handleSysStepDown(core))) mux.Handle("/v1/sys/unseal", handleSysUnseal(core)) mux.Handle("/v1/sys/leader", handleSysLeader(core)) mux.Handle("/v1/sys/health", handleSysHealth(core)) mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core)) mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core, handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy)))) mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core, handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy)))) mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false))) mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false))) mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false))) mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true))) mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true))) mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true))) mux.Handle("/v1/sys/storage/raft/bootstrap", handleSysRaftBootstrap(core)) mux.Handle("/v1/sys/storage/raft/join", handleSysRaftJoin(core)) mux.Handle("/v1/sys/internal/ui/feature-flags", handleSysInternalFeatureFlags(core)) for _, path := range injectDataIntoTopRoutes { mux.Handle(path, handleRequestForwarding(core, handleLogicalWithInjector(core))) } mux.Handle("/v1/sys/", handleRequestForwarding(core, handleLogical(core))) mux.Handle("/v1/", handleRequestForwarding(core, handleLogical(core))) if core.UIEnabled() { if uiBuiltIn { mux.Handle("/ui/", http.StripPrefix("/ui/", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()})))))) mux.Handle("/robots.txt", gziphandler.GzipHandler(handleUIHeaders(core, handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()}))))) } else { mux.Handle("/ui/", handleUIHeaders(core, handleUIStub())) } mux.Handle("/ui", handleUIRedirect()) mux.Handle("/", handleUIRedirect()) } // Register metrics path without authentication if enabled if props.ListenerConfig != nil && props.ListenerConfig.Telemetry.UnauthenticatedMetricsAccess { mux.Handle("/v1/sys/metrics", handleMetricsUnauthenticated(core)) } else { mux.Handle("/v1/sys/metrics", handleLogicalNoForward(core)) } if props.ListenerConfig != nil && props.ListenerConfig.Profiling.UnauthenticatedPProfAccess { for _, name := range []string{"goroutine", "threadcreate", "heap", "allocs", "block", "mutex"} { mux.Handle("/v1/sys/pprof/"+name, pprof.Handler(name)) } mux.Handle("/v1/sys/pprof/", http.HandlerFunc(pprof.Index)) mux.Handle("/v1/sys/pprof/cmdline", http.HandlerFunc(pprof.Cmdline)) mux.Handle("/v1/sys/pprof/profile", http.HandlerFunc(pprof.Profile)) mux.Handle("/v1/sys/pprof/symbol", http.HandlerFunc(pprof.Symbol)) mux.Handle("/v1/sys/pprof/trace", http.HandlerFunc(pprof.Trace)) } else { mux.Handle("/v1/sys/pprof/", handleLogicalNoForward(core)) } if props.ListenerConfig != nil && props.ListenerConfig.InFlightRequestLogging.UnauthenticatedInFlightAccess { mux.Handle("/v1/sys/in-flight-req", handleUnAuthenticatedInFlightRequest(core)) } else { mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core)) } additionalRoutes(mux, core) } // Wrap the handler in another handler to trigger all help paths. helpWrappedHandler := wrapHelpHandler(mux, core) corsWrappedHandler := wrapCORSHandler(helpWrappedHandler, core) quotaWrappedHandler := rateLimitQuotaWrapping(corsWrappedHandler, core) genericWrappedHandler := genericWrapping(core, quotaWrappedHandler, props) // Wrap the handler with PrintablePathCheckHandler to check for non-printable // characters in the request path. printablePathCheckHandler := genericWrappedHandler if !props.DisablePrintableCheck { printablePathCheckHandler = cleanhttp.PrintablePathCheckHandler(genericWrappedHandler, nil) } return printablePathCheckHandler } type copyResponseWriter struct { wrapped http.ResponseWriter statusCode int body *bytes.Buffer } // newCopyResponseWriter returns an initialized newCopyResponseWriter func newCopyResponseWriter(wrapped http.ResponseWriter) *copyResponseWriter { w := ©ResponseWriter{ wrapped: wrapped, body: new(bytes.Buffer), statusCode: 200, } return w } func (w *copyResponseWriter) Header() http.Header { return w.wrapped.Header() } func (w *copyResponseWriter) Write(buf []byte) (int, error) { w.body.Write(buf) return w.wrapped.Write(buf) } func (w *copyResponseWriter) WriteHeader(code int) { w.statusCode = code w.wrapped.WriteHeader(code) } func handleAuditNonLogical(core *vault.Core, h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { origBody := new(bytes.Buffer) reader := ioutil.NopCloser(io.TeeReader(r.Body, origBody)) r.Body = reader req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), w, r) if err != nil || status != 0 { respondError(w, status, err) return } if origBody != nil { r.Body = ioutil.NopCloser(origBody) } input := &logical.LogInput{ Request: req, } err = core.AuditLogger().AuditRequest(r.Context(), input) if err != nil { respondError(w, status, err) return } cw := newCopyResponseWriter(w) h.ServeHTTP(cw, r) data := make(map[string]interface{}) err = jsonutil.DecodeJSON(cw.body.Bytes(), &data) if err != nil { // best effort, ignore } httpResp := &logical.HTTPResponse{Data: data, Headers: cw.Header()} input.Response = logical.HTTPResponseToLogicalResponse(httpResp) err = core.AuditLogger().AuditResponse(r.Context(), input) if err != nil { respondError(w, status, err) } return }) } // wrapGenericHandler wraps the handler with an extra layer of handler where // tasks that should be commonly handled for all the requests and/or responses // are performed. func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerProperties) http.Handler { var maxRequestDuration time.Duration var maxRequestSize int64 if props.ListenerConfig != nil { maxRequestDuration = props.ListenerConfig.MaxRequestDuration maxRequestSize = props.ListenerConfig.MaxRequestSize } if maxRequestDuration == 0 { maxRequestDuration = vault.DefaultMaxRequestDuration } if maxRequestSize == 0 { maxRequestSize = DefaultMaxRequestSize } // Swallow this error since we don't want to pollute the logs and we also don't want to // return an HTTP error here. This information is best effort. hostname, _ := os.Hostname() return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // This block needs to be here so that upon sending SIGHUP, custom response // headers are also reloaded into the handlers. var customHeaders map[string][]*logical.CustomHeader if props.ListenerConfig != nil { la := props.ListenerConfig.Address listenerCustomHeaders := core.GetListenerCustomResponseHeaders(la) if listenerCustomHeaders != nil { customHeaders = listenerCustomHeaders.StatusCodeHeaderMap } } // saving start time for the in-flight requests inFlightReqStartTime := time.Now() nw := logical.NewStatusHeaderResponseWriter(w, customHeaders) // Set the Cache-Control header for all the responses returned // by Vault nw.Header().Set("Cache-Control", "no-store") // Start with the request context ctx := r.Context() var cancelFunc context.CancelFunc // Add our timeout, but not for the monitor or events endpoints, as they are streaming if strings.HasSuffix(r.URL.Path, "sys/monitor") || strings.Contains(r.URL.Path, "sys/events") { ctx, cancelFunc = context.WithCancel(ctx) } else { ctx, cancelFunc = context.WithTimeout(ctx, maxRequestDuration) } // if maxRequestSize < 0, no need to set context value // Add a size limiter if desired if maxRequestSize > 0 { ctx = context.WithValue(ctx, "max_request_size", maxRequestSize) } ctx = context.WithValue(ctx, "original_request_path", r.URL.Path) r = r.WithContext(ctx) r = r.WithContext(namespace.ContextWithNamespace(r.Context(), namespace.RootNamespace)) // Set some response headers with raft node id (if applicable) and hostname, if available if core.RaftNodeIDHeaderEnabled() { nodeID := core.GetRaftNodeID() if nodeID != "" { nw.Header().Set("X-Vault-Raft-Node-ID", nodeID) } } if core.HostnameHeaderEnabled() && hostname != "" { nw.Header().Set("X-Vault-Hostname", hostname) } switch { case strings.HasPrefix(r.URL.Path, "/v1/"): newR, status := adjustRequest(core, r) if status != 0 { respondError(nw, status, nil) cancelFunc() return } r = newR case strings.HasPrefix(r.URL.Path, "/ui"), r.URL.Path == "/robots.txt", r.URL.Path == "/": default: respondError(nw, http.StatusNotFound, nil) cancelFunc() return } // The uuid for the request is going to be generated when a logical // request is generated. But, here we generate one to be able to track // in-flight requests, and use that to update the req data with clientID inFlightReqID, err := uuid.GenerateUUID() if err != nil { respondError(nw, http.StatusInternalServerError, fmt.Errorf("failed to generate an identifier for the in-flight request")) } // adding an entry to the context to enable updating in-flight // data with ClientID in the logical layer r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyInFlightRequestID{}, inFlightReqID)) // extracting the client address to be included in the in-flight request var clientAddr string headers := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")] if len(headers) == 0 { clientAddr = r.RemoteAddr } else { clientAddr = headers[0] } // getting the request method requestMethod := r.Method // Storing the in-flight requests. Path should include namespace as well core.StoreInFlightReqData( inFlightReqID, vault.InFlightReqData{ StartTime: inFlightReqStartTime, ReqPath: r.URL.Path, ClientRemoteAddr: clientAddr, Method: requestMethod, }) defer func() { // Not expecting this fail, so skipping the assertion check core.FinalizeInFlightReqData(inFlightReqID, nw.StatusCode) }() // Setting the namespace in the header to be included in the error message ns := r.Header.Get(consts.NamespaceHeaderName) if ns != "" { nw.Header().Set(consts.NamespaceHeaderName, ns) } h.ServeHTTP(nw, r) cancelFunc() return }) } func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler { rejectNotPresent := l.XForwardedForRejectNotPresent hopSkips := l.XForwardedForHopSkips authorizedAddrs := l.XForwardedForAuthorizedAddrs rejectNotAuthz := l.XForwardedForRejectNotAuthorized return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { headers, headersOK := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")] if !headersOK || len(headers) == 0 { if !rejectNotPresent { h.ServeHTTP(w, r) return } respondError(w, http.StatusBadRequest, fmt.Errorf("missing x-forwarded-for header and configured to reject when not present")) return } host, port, err := net.SplitHostPort(r.RemoteAddr) if err != nil { // If not rejecting treat it like we just don't have a valid // header because we can't do a comparison against an address we // can't understand if !rejectNotPresent { h.ServeHTTP(w, r) return } respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client hostport: %w", err)) return } addr, err := sockaddr.NewIPAddr(host) if err != nil { // We treat this the same as the case above if !rejectNotPresent { h.ServeHTTP(w, r) return } respondError(w, http.StatusBadRequest, fmt.Errorf("error parsing client address: %w", err)) return } var found bool for _, authz := range authorizedAddrs { if authz.Contains(addr) { found = true break } } if !found { // If we didn't find it and aren't configured to reject, simply // don't trust it if !rejectNotAuthz { h.ServeHTTP(w, r) return } respondError(w, http.StatusBadRequest, fmt.Errorf("client address not authorized for x-forwarded-for and configured to reject connection")) return } // At this point we have at least one value and it's authorized // Split comma separated ones, which are common. This brings it in line // to the multiple-header case. var acc []string for _, header := range headers { vals := strings.Split(header, ",") for _, v := range vals { acc = append(acc, strings.TrimSpace(v)) } } indexToUse := int64(len(acc)) - 1 - hopSkips if indexToUse < 0 { // This is likely an error in either configuration or other // infrastructure. We could either deny the request, or we // could simply not trust the value. Denying the request is // "safer" since if this logic is configured at all there may // be an assumption it can always be trusted. Given that we can // deny accepting the request at all if it's not from an // authorized address, if we're at this point the address is // authorized (or we've turned off explicit rejection) and we // should assume that what comes in should be properly // formatted. respondError(w, http.StatusBadRequest, fmt.Errorf("malformed x-forwarded-for configuration or request, hops to skip (%d) would skip before earliest chain link (chain length %d)", hopSkips, len(headers))) return } r.RemoteAddr = net.JoinHostPort(acc[indexToUse], port) h.ServeHTTP(w, r) return }) } // stripPrefix is a helper to strip a prefix from the path. It will // return false from the second return value if it the prefix doesn't exist. func stripPrefix(prefix, path string) (string, bool) { if !strings.HasPrefix(path, prefix) { return "", false } path = path[len(prefix):] if path == "" { return "", false } return path, true } func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { header := w.Header() userHeaders, err := core.UIHeaders() if err != nil { respondError(w, http.StatusInternalServerError, err) return } if userHeaders != nil { for k := range userHeaders { v := userHeaders.Get(k) header.Set(k, v) } } h.ServeHTTP(w, req) }) } func handleUI(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { // The fileserver handler strips trailing slashes and does a redirect. // We don't want the redirect to happen so we preemptively trim the slash // here. req.URL.Path = strings.TrimSuffix(req.URL.Path, "/") h.ServeHTTP(w, req) return }) } func handleUIStub() http.Handler { stubHTML := `
To get Vault UI do one of the following:
make bin
to create your own release binaries.
make dev-ui
to create a development binary with the UI.