open-vault/command/agent/cache/handler.go
Violet Hynes 398cf38e1e
VAULT-11510 Vault Agent can start listeners without caching (#18137)
* VAULT-11510 Vault Agent can start listeners without caching

* VAULT-11510 fix order of imports

* VAULT-11510 changelog

* VAULT-11510 typo and better switch

* VAULT-11510 update name

* VAULT-11510 New api_proxy stanza to configure API proxy

* VAULT-11510 First pass at API Proxy docs

* VAULT-11510 nav data

* VAULT-11510 typo

* VAULT-11510 docs update
2022-12-05 10:51:03 -05:00

230 lines
6.2 KiB
Go

package cache
import (
"bufio"
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"time"
"github.com/armon/go-metrics"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/agent/sink"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
)
func ProxyHandler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSink sink.Sink, proxyVaultToken bool) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
logger.Info("received request", "method", r.Method, "path", r.URL.Path)
if !proxyVaultToken {
r.Header.Del(consts.AuthHeaderName)
}
token := r.Header.Get(consts.AuthHeaderName)
if token == "" && inmemSink != nil {
logger.Debug("using auto auth token", "method", r.Method, "path", r.URL.Path)
token = inmemSink.(sink.SinkReader).Token()
}
// Parse and reset body.
reqBody, err := io.ReadAll(r.Body)
if err != nil {
logger.Error("failed to read request body")
logical.RespondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))
return
}
if r.Body != nil {
r.Body.Close()
}
r.Body = io.NopCloser(bytes.NewReader(reqBody))
req := &SendRequest{
Token: token,
Request: r,
RequestBody: reqBody,
}
resp, err := proxier.Send(ctx, req)
if err != nil {
// If this is an api.Response error, don't wrap the response.
if resp != nil && resp.Response.Error() != nil {
copyHeader(w.Header(), resp.Response.Header)
w.WriteHeader(resp.Response.StatusCode)
io.Copy(w, resp.Response.Body)
metrics.IncrCounter([]string{"agent", "proxy", "client_error"}, 1)
} else {
metrics.IncrCounter([]string{"agent", "proxy", "error"}, 1)
logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("failed to get the response: %w", err))
}
return
}
err = sanitizeAutoAuthTokenResponse(ctx, logger, inmemSink, req, resp)
if err != nil {
logical.RespondError(w, http.StatusInternalServerError, fmt.Errorf("failed to process token lookup response: %w", err))
return
}
defer resp.Response.Body.Close()
metrics.IncrCounter([]string{"agent", "proxy", "success"}, 1)
if resp.CacheMeta != nil {
if resp.CacheMeta.Hit {
metrics.IncrCounter([]string{"agent", "cache", "hit"}, 1)
} else {
metrics.IncrCounter([]string{"agent", "cache", "miss"}, 1)
}
}
// Set headers
setHeaders(w, resp)
// Set response body
io.Copy(w, resp.Response.Body)
return
})
}
// setHeaders is a helper that sets the header values based on SendResponse. It
// copies over the headers from the original response and also includes any
// cache-related headers.
func setHeaders(w http.ResponseWriter, resp *SendResponse) {
// Set header values
copyHeader(w.Header(), resp.Response.Header)
if resp.CacheMeta != nil {
xCacheVal := "MISS"
if resp.CacheMeta.Hit {
xCacheVal = "HIT"
// If this is a cache hit, we also set the Age header
age := fmt.Sprintf("%.0f", resp.CacheMeta.Age.Seconds())
w.Header().Set("Age", age)
// Update the date value
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
}
w.Header().Set("X-Cache", xCacheVal)
}
// Set status code
w.WriteHeader(resp.Response.StatusCode)
}
// sanitizeAutoAuthTokenResponse checks if the request was a lookup or renew
// and if the auto-auth token was used to perform lookup-self, the identifier
// of the token and its accessor same will be stripped off of the response.
func sanitizeAutoAuthTokenResponse(ctx context.Context, logger hclog.Logger, inmemSink sink.Sink, req *SendRequest, resp *SendResponse) error {
// If auto-auth token is not being used, there is nothing to do.
if inmemSink == nil {
return nil
}
autoAuthToken := inmemSink.(sink.SinkReader).Token()
// If lookup responded with non 200 status, there is nothing to do.
if resp.Response.StatusCode != http.StatusOK {
return nil
}
_, path := deriveNamespaceAndRevocationPath(req)
switch path {
case vaultPathTokenLookupSelf, vaultPathTokenRenewSelf:
if req.Token != autoAuthToken {
return nil
}
case vaultPathTokenLookup, vaultPathTokenRenew:
jsonBody := map[string]interface{}{}
if err := json.Unmarshal(req.RequestBody, &jsonBody); err != nil {
return err
}
tokenRaw, ok := jsonBody["token"]
if !ok {
// Input error will be caught by the API
return nil
}
token, ok := tokenRaw.(string)
if !ok {
// Input error will be caught by the API
return nil
}
if token != "" && token != autoAuthToken {
// Lookup is performed on the non-auto-auth token
return nil
}
default:
return nil
}
logger.Info("stripping auto-auth token from the response", "method", req.Request.Method, "path", req.Request.URL.Path)
secret, err := api.ParseSecret(bytes.NewReader(resp.ResponseBody))
if err != nil {
return fmt.Errorf("failed to parse token lookup response: %v", err)
}
if secret == nil {
return nil
} else if secret.Data != nil {
// lookup endpoints
if secret.Data["id"] == nil && secret.Data["accessor"] == nil {
return nil
}
delete(secret.Data, "id")
delete(secret.Data, "accessor")
} else if secret.Auth != nil {
// renew endpoints
if secret.Auth.Accessor == "" && secret.Auth.ClientToken == "" {
return nil
}
secret.Auth.Accessor = ""
secret.Auth.ClientToken = ""
} else {
// nothing to redact
return nil
}
bodyBytes, err := json.Marshal(secret)
if err != nil {
return err
}
if resp.Response.Body != nil {
resp.Response.Body.Close()
}
resp.Response.Body = ioutil.NopCloser(bytes.NewReader(bodyBytes))
resp.Response.ContentLength = int64(len(bodyBytes))
// Serialize and re-read the response
var respBytes bytes.Buffer
err = resp.Response.Write(&respBytes)
if err != nil {
return fmt.Errorf("failed to serialize the updated response: %v", err)
}
updatedResponse, err := http.ReadResponse(bufio.NewReader(bytes.NewReader(respBytes.Bytes())), nil)
if err != nil {
return fmt.Errorf("failed to deserialize the updated response: %v", err)
}
resp.Response = &api.Response{
Response: updatedResponse,
}
resp.ResponseBody = bodyBytes
return nil
}
func copyHeader(dst, src http.Header) {
for k, vv := range src {
for _, v := range vv {
dst.Add(k, v)
}
}
}