2023-03-15 19:00:52 +03:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2019-04-15 20:38:08 +03:00
|
|
|
package api
|
2017-03-16 21:55:21 +03:00
|
|
|
|
|
|
|
|
import (
|
2022-03-24 00:47:43 +03:00
|
|
|
"context"
|
2017-03-16 21:55:21 +03:00
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"errors"
|
2019-04-13 00:54:35 +03:00
|
|
|
"flag"
|
2017-03-16 21:55:21 +03:00
|
|
|
"net/url"
|
|
|
|
|
"os"
|
2022-04-28 02:35:18 +03:00
|
|
|
"regexp"
|
2017-03-16 21:55:21 +03:00
|
|
|
|
2023-05-23 15:25:58 +03:00
|
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
2019-03-20 21:54:03 +03:00
|
|
|
|
2017-03-16 21:55:21 +03:00
|
|
|
"github.com/hashicorp/errwrap"
|
2019-05-09 02:21:23 +03:00
|
|
|
)
|
|
|
|
|
|
2022-08-30 05:42:26 +03:00
|
|
|
const (
|
|
|
|
|
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
|
|
|
|
|
// setting a TLSProviderFunc for a plugin.
|
|
|
|
|
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"
|
|
|
|
|
|
2019-05-09 02:21:23 +03:00
|
|
|
// PluginMetadataModeEnv is an ENV name used to disable TLS communication
|
|
|
|
|
// to bootstrap mounting plugins.
|
|
|
|
|
PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
|
|
|
|
|
|
|
|
|
|
// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
|
|
|
|
|
// plugin.
|
|
|
|
|
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
|
2017-03-16 21:55:21 +03:00
|
|
|
)
|
|
|
|
|
|
2022-08-30 05:42:26 +03:00
|
|
|
// sudoPaths is a map containing the paths that require a token's policy
|
|
|
|
|
// to have the "sudo" capability. The keys are the paths as strings, in
|
|
|
|
|
// the same format as they are returned by the OpenAPI spec. The values
|
|
|
|
|
// are the regular expressions that can be used to test whether a given
|
|
|
|
|
// path matches that path or not (useful specifically for the paths that
|
|
|
|
|
// contain templated fields.)
|
|
|
|
|
var sudoPaths = map[string]*regexp.Regexp{
|
2023-07-06 23:01:33 +03:00
|
|
|
"/auth/token/accessors": regexp.MustCompile(`^/auth/token/accessors/?$`),
|
2023-01-10 19:16:59 +03:00
|
|
|
"/pki/root": regexp.MustCompile(`^/pki/root$`),
|
|
|
|
|
"/pki/root/sign-self-issued": regexp.MustCompile(`^/pki/root/sign-self-issued$`),
|
2022-08-30 05:42:26 +03:00
|
|
|
"/sys/audit": regexp.MustCompile(`^/sys/audit$`),
|
|
|
|
|
"/sys/audit/{path}": regexp.MustCompile(`^/sys/audit/.+$`),
|
|
|
|
|
"/sys/auth/{path}": regexp.MustCompile(`^/sys/auth/.+$`),
|
|
|
|
|
"/sys/auth/{path}/tune": regexp.MustCompile(`^/sys/auth/.+/tune$`),
|
|
|
|
|
"/sys/config/auditing/request-headers": regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
|
|
|
|
|
"/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
|
|
|
|
|
"/sys/config/cors": regexp.MustCompile(`^/sys/config/cors$`),
|
2023-07-06 23:01:33 +03:00
|
|
|
"/sys/config/ui/headers": regexp.MustCompile(`^/sys/config/ui/headers/?$`),
|
2022-08-30 05:42:26 +03:00
|
|
|
"/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
|
|
|
|
|
"/sys/leases": regexp.MustCompile(`^/sys/leases$`),
|
2023-02-21 18:12:45 +03:00
|
|
|
"/sys/leases/lookup/": regexp.MustCompile(`^/sys/leases/lookup/?$`),
|
2022-08-30 05:42:26 +03:00
|
|
|
"/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup/.+$`),
|
|
|
|
|
"/sys/leases/revoke-force/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),
|
|
|
|
|
"/sys/leases/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),
|
|
|
|
|
"/sys/plugins/catalog/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`),
|
|
|
|
|
"/sys/plugins/catalog/{type}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+$`),
|
|
|
|
|
"/sys/plugins/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+/[^/]+$`),
|
|
|
|
|
"/sys/raw": regexp.MustCompile(`^/sys/raw$`),
|
|
|
|
|
"/sys/raw/{path}": regexp.MustCompile(`^/sys/raw/.+$`),
|
|
|
|
|
"/sys/remount": regexp.MustCompile(`^/sys/remount$`),
|
|
|
|
|
"/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`),
|
|
|
|
|
"/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),
|
|
|
|
|
"/sys/rotate": regexp.MustCompile(`^/sys/rotate$`),
|
2022-11-04 19:39:09 +03:00
|
|
|
"/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
|
2022-08-30 05:42:26 +03:00
|
|
|
|
|
|
|
|
// enterprise-only paths
|
|
|
|
|
"/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),
|
|
|
|
|
"/sys/replication/performance/primary/secondary-token": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),
|
|
|
|
|
"/sys/replication/primary/secondary-token": regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),
|
|
|
|
|
"/sys/replication/reindex": regexp.MustCompile(`^/sys/replication/reindex$`),
|
2023-02-21 18:12:45 +03:00
|
|
|
"/sys/storage/raft/snapshot-auto/config/": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
|
2022-08-30 05:42:26 +03:00
|
|
|
"/sys/storage/raft/snapshot-auto/config/{name}": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-15 20:38:08 +03:00
|
|
|
// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
|
2019-04-13 00:54:35 +03:00
|
|
|
// back to Vault.
|
2019-04-15 20:38:08 +03:00
|
|
|
type PluginAPIClientMeta struct {
|
2019-04-13 00:54:35 +03:00
|
|
|
// These are set by the command line flags.
|
|
|
|
|
flagCACert string
|
|
|
|
|
flagCAPath string
|
|
|
|
|
flagClientCert string
|
|
|
|
|
flagClientKey string
|
2023-10-20 17:29:08 +03:00
|
|
|
flagServerName string
|
2019-04-13 00:54:35 +03:00
|
|
|
flagInsecure bool
|
2017-03-17 00:14:49 +03:00
|
|
|
}
|
|
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
// FlagSet returns the flag set for configuring the TLS connection
|
2019-04-15 20:38:08 +03:00
|
|
|
func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
|
2019-04-13 00:54:35 +03:00
|
|
|
fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError)
|
2017-03-17 00:14:49 +03:00
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
fs.StringVar(&f.flagCACert, "ca-cert", "", "")
|
|
|
|
|
fs.StringVar(&f.flagCAPath, "ca-path", "", "")
|
|
|
|
|
fs.StringVar(&f.flagClientCert, "client-cert", "", "")
|
|
|
|
|
fs.StringVar(&f.flagClientKey, "client-key", "", "")
|
2023-10-20 17:29:08 +03:00
|
|
|
fs.StringVar(&f.flagServerName, "tls-server-name", "", "")
|
2019-04-13 00:54:35 +03:00
|
|
|
fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")
|
2017-03-17 00:14:49 +03:00
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
return fs
|
2017-03-17 00:14:49 +03:00
|
|
|
}
|
|
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
// GetTLSConfig will return a TLSConfig based off the values from the flags
|
2019-04-15 20:38:08 +03:00
|
|
|
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {
|
2019-04-13 00:54:35 +03:00
|
|
|
// If we need custom TLS configuration, then set it
|
2023-10-20 17:29:08 +03:00
|
|
|
if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure || f.flagServerName != "" {
|
2019-04-15 20:38:08 +03:00
|
|
|
t := &TLSConfig{
|
2019-04-13 00:54:35 +03:00
|
|
|
CACert: f.flagCACert,
|
|
|
|
|
CAPath: f.flagCAPath,
|
|
|
|
|
ClientCert: f.flagClientCert,
|
|
|
|
|
ClientKey: f.flagClientKey,
|
2023-10-20 17:29:08 +03:00
|
|
|
TLSServerName: f.flagServerName,
|
2019-04-13 00:54:35 +03:00
|
|
|
Insecure: f.flagInsecure,
|
|
|
|
|
}
|
2017-03-17 00:14:49 +03:00
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
return t
|
2017-04-24 22:15:01 +03:00
|
|
|
}
|
2017-03-17 00:14:49 +03:00
|
|
|
|
2019-04-13 00:54:35 +03:00
|
|
|
return nil
|
2017-03-16 21:55:21 +03:00
|
|
|
}
|
|
|
|
|
|
2022-03-24 00:47:43 +03:00
|
|
|
// VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.
|
2019-04-15 20:38:08 +03:00
|
|
|
func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
2022-03-24 00:47:43 +03:00
|
|
|
return VaultPluginTLSProviderContext(context.Background(), apiTLSConfig)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
|
|
|
|
|
// wrapped TLS certificate from vault. It returns a configured TLS Config.
|
|
|
|
|
func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
2022-08-30 05:42:26 +03:00
|
|
|
if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
|
2017-09-01 08:02:03 +03:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-03 00:40:11 +03:00
|
|
|
return func() (*tls.Config, error) {
|
2019-05-09 02:21:23 +03:00
|
|
|
unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
|
2017-05-03 00:40:11 +03:00
|
|
|
|
2023-05-23 15:25:58 +03:00
|
|
|
parsedJWT, err := jwt.ParseSigned(unwrapToken)
|
2017-05-03 00:40:11 +03:00
|
|
|
if err != nil {
|
2019-03-20 21:54:03 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
2019-03-20 21:54:03 +03:00
|
|
|
|
2021-04-08 19:43:39 +03:00
|
|
|
allClaims := make(map[string]interface{})
|
2019-03-20 21:54:03 +03:00
|
|
|
if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
2019-03-20 21:54:03 +03:00
|
|
|
addrClaimRaw, ok := allClaims["addr"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("could not validate addr claim")
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
2019-03-20 21:54:03 +03:00
|
|
|
vaultAddr, ok := addrClaimRaw.(string)
|
2017-05-03 00:40:11 +03:00
|
|
|
if !ok {
|
2019-03-20 21:54:03 +03:00
|
|
|
return nil, errors.New("could not parse addr claim")
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
if vaultAddr == "" {
|
2017-12-05 20:01:35 +03:00
|
|
|
return nil, errors.New(`no vault api_addr found`)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sanity check the value
|
|
|
|
|
if _, err := url.Parse(vaultAddr); err != nil {
|
2018-04-05 18:49:21 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Unwrap the token
|
2019-04-15 20:38:08 +03:00
|
|
|
clientConf := DefaultConfig()
|
2017-05-03 00:40:11 +03:00
|
|
|
clientConf.Address = vaultAddr
|
|
|
|
|
if apiTLSConfig != nil {
|
2017-09-01 08:02:03 +03:00
|
|
|
err := clientConf.ConfigureTLS(apiTLSConfig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error configuring api client {{err}}", err)
|
|
|
|
|
}
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
2019-04-15 20:38:08 +03:00
|
|
|
client, err := NewClient(clientConf)
|
2017-05-03 00:40:11 +03:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error during api client creation: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-02 12:40:13 +03:00
|
|
|
// Reset token value to make sure nothing has been set by default
|
|
|
|
|
client.ClearToken()
|
|
|
|
|
|
2022-03-24 00:47:43 +03:00
|
|
|
secret, err := client.Logical().UnwrapWithContext(ctx, unwrapToken)
|
2017-05-03 00:40:11 +03:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error during token unwrap request: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
if secret == nil {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 20:28:40 +03:00
|
|
|
return nil, errors.New("error during token unwrap request: secret is nil")
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve and parse the server's certificate
|
|
|
|
|
serverCertBytesRaw, ok := secret.Data["ServerCert"].(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
|
|
|
|
|
if err != nil {
|
2018-04-05 18:49:21 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverCert, err := x509.ParseCertificate(serverCertBytes)
|
|
|
|
|
if err != nil {
|
2018-04-05 18:49:21 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve and parse the server's private key
|
|
|
|
|
serverKeyB64, ok := secret.Data["ServerKey"].(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
|
|
|
|
|
if err != nil {
|
2018-04-05 18:49:21 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
|
|
|
|
|
if err != nil {
|
2018-04-05 18:49:21 +03:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add CA cert to the cert pool
|
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
|
caCertPool.AddCert(serverCert)
|
|
|
|
|
|
|
|
|
|
// Build a certificate object out of the server's cert and private key.
|
|
|
|
|
cert := tls.Certificate{
|
|
|
|
|
Certificate: [][]byte{serverCertBytes},
|
|
|
|
|
PrivateKey: serverKey,
|
|
|
|
|
Leaf: serverCert,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Setup TLS config
|
|
|
|
|
tlsConfig := &tls.Config{
|
|
|
|
|
ClientCAs: caCertPool,
|
|
|
|
|
RootCAs: caCertPool,
|
|
|
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
|
|
|
// TLS 1.2 minimum
|
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
|
Certificates: []tls.Certificate{cert},
|
2018-01-19 00:49:20 +03:00
|
|
|
ServerName: serverCert.Subject.CommonName,
|
2017-05-03 00:40:11 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tlsConfig, nil
|
2017-03-16 21:55:21 +03:00
|
|
|
}
|
|
|
|
|
}
|
2022-04-28 02:35:18 +03:00
|
|
|
|
|
|
|
|
func SudoPaths() map[string]*regexp.Regexp {
|
|
|
|
|
return sudoPaths
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-06 23:01:33 +03:00
|
|
|
// Determine whether the given path requires the sudo capability.
|
|
|
|
|
// Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces,
|
|
|
|
|
// or for secret engines mounted at non-default paths.
|
2022-04-28 02:35:18 +03:00
|
|
|
func IsSudoPath(path string) bool {
|
|
|
|
|
// Return early if the path is any of the non-templated sudo paths.
|
|
|
|
|
if _, ok := sudoPaths[path]; ok {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Some sudo paths have templated fields in them.
|
|
|
|
|
// (e.g. /sys/revoke-prefix/{prefix})
|
|
|
|
|
// The values in the sudoPaths map are actually regular expressions,
|
|
|
|
|
// so we can check if our path matches against them.
|
|
|
|
|
for _, sudoPathRegexp := range sudoPaths {
|
|
|
|
|
match := sudoPathRegexp.MatchString(path)
|
|
|
|
|
if match {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|