open-vault/http/logical.go

150 lines
3.9 KiB
Go

package http
import (
"io"
"net/http"
"strings"
"time"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/vault"
)
func handleLogical(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Determine the path...
if !strings.HasPrefix(r.URL.Path, "/v1/") {
respondError(w, http.StatusNotFound, nil)
return
}
path := r.URL.Path[len("/v1/"):]
if path == "" {
respondError(w, http.StatusNotFound, nil)
return
}
// Determine the operation
var op logical.Operation
switch r.Method {
case "DELETE":
op = logical.DeleteOperation
case "GET":
op = logical.ReadOperation
case "POST":
fallthrough
case "PUT":
op = logical.WriteOperation
default:
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
// Parse the request if we can
var req map[string]interface{}
if op == logical.WriteOperation {
err := parseRequest(r, &req)
if err == io.EOF {
req = nil
err = nil
}
if err != nil {
respondError(w, http.StatusBadRequest, err)
return
}
}
// Make the internal request. We attach the connection info
// as well in case this is an authentication request that requires
// it. Vault core handles stripping this if we need to.
resp, ok := request(core, w, r, requestAuth(r, &logical.Request{
Operation: op,
Path: path,
Data: req,
Connection: &logical.Connection{
RemoteAddr: r.RemoteAddr,
ConnState: r.TLS,
},
}))
if !ok {
return
}
if op == logical.ReadOperation && resp == nil {
respondError(w, http.StatusNotFound, nil)
return
}
// Build the proper response
respondLogical(w, r, path, resp)
})
}
func respondLogical(w http.ResponseWriter, r *http.Request, path string, resp *logical.Response) {
var httpResp interface{}
if resp != nil {
if resp.Redirect != "" {
// If we have a redirect, redirect! We use a 302 code
// because we don't actually know if its permanent.
http.Redirect(w, r, resp.Redirect, 302)
return
}
logicalResp := &LogicalResponse{Data: resp.Data}
if resp.Secret != nil {
logicalResp.LeaseID = resp.Secret.LeaseID
logicalResp.Renewable = resp.Secret.Renewable
logicalResp.LeaseDuration = int(resp.Secret.Lease.Seconds())
}
// If we have authentication information, then set the cookie
// and setup the result structure.
if resp.Auth != nil {
expireDuration := 365 * 24 * time.Hour
if logicalResp.LeaseDuration != 0 {
expireDuration =
time.Duration(logicalResp.LeaseDuration) * time.Second
}
// Do not set the token as the auth cookie if the endpoint
// is the token store. Otherwise, attempting to create a token
// will cause the client to be authenticated as that token.
if !strings.HasPrefix(path, "auth/token/") {
http.SetCookie(w, &http.Cookie{
Name: AuthCookieName,
Value: resp.Auth.ClientToken,
Path: "/",
Expires: time.Now().UTC().Add(expireDuration),
})
}
logicalResp.Auth = &Auth{
ClientToken: resp.Auth.ClientToken,
Policies: resp.Auth.Policies,
Metadata: resp.Auth.Metadata,
LeaseDuration: int(resp.Auth.Lease.Seconds()),
Renewable: resp.Auth.Renewable,
}
}
httpResp = logicalResp
}
// Respond
respondOk(w, httpResp)
}
type LogicalResponse struct {
LeaseID string `json:"lease_id"`
Renewable bool `json:"renewable"`
LeaseDuration int `json:"lease_duration"`
Data map[string]interface{} `json:"data"`
Auth *Auth `json:"auth"`
}
type Auth struct {
ClientToken string `json:"client_token"`
Policies []string `json:"policies"`
Metadata map[string]string `json:"metadata"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
}