sys/config: config state endpoint (#7424)

* sys/config: initial work on adding config state endpoint

* server/config: add tests, fix Sanitized method

* thread config through NewTestCluster's config to avoid panic on dev modes

* properly guard endpoint against request forwarding

* add http tests, guard against panics on nil RawConfig

* ensure non-nil rawConfig on NewTestCluster cores

* update non-forwarding logic

* fix imports; use no-forward handler

* add missing config test fixture; update gitignore

* return sanitized config as a map

* fix test, use deep.Equal to check for equality

* fix http test

* minor comment fix

* config: change Sanitized to return snake-cased keys, update tests

* core: hold rlock when reading config; add docstring

* update docstring

command/server.go

@@ -668,6 +668,7 @@ func (c *ServerCommand) Run(args []string) int {
 	}
 
 	coreConfig := &vault.CoreConfig{
+		RawConfig:                 config,
 		Physical:                  backend,
 		RedirectAddr:              config.Storage.RedirectAddr,
 		StorageType:               config.Storage.Type,
@@ -973,7 +974,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
 		}
 		props["max_request_size"] = fmt.Sprintf("%d", maxRequestSize)
 
-		var maxRequestDuration time.Duration = vault.DefaultMaxRequestDuration
+		maxRequestDuration := vault.DefaultMaxRequestDuration
 		if valRaw, ok := lnConfig.Config["max_request_duration"]; ok {
 			val, err := parseutil.ParseDurationSecond(valRaw)
 			if err != nil {
@@ -1415,6 +1416,8 @@ CLUSTER_SYNTHESIS_COMPLETE:
 				goto RUNRELOADFUNCS
 			}
 
+			core.SetConfig(config)
+
 			if config.LogLevel != "" {
 				configLogLevel := strings.ToLower(strings.TrimSpace(config.LogLevel))
 				switch configLogLevel {

command/server/config.go

@@ -905,3 +905,128 @@ func parseTelemetry(result *Config, list *ast.ObjectList) error {
 
 	return nil
 }
+
+// Sanitized returns a copy of the config with all values that are considered
+// sensitive stripped. It also strips all `*Raw` values that are mainly
+// used for parsing.
+//
+// Specifically, the fields that this method strips are:
+// - Storage.Config
+// - HAStorage.Config
+// - Seals.Config
+// - Telemetry.CirconusAPIToken
+func (c *Config) Sanitized() map[string]interface{} {
+	result := map[string]interface{}{
+		"cache_size":              c.CacheSize,
+		"disable_cache":           c.DisableCache,
+		"disable_mlock":           c.DisableMlock,
+		"disable_printable_check": c.DisablePrintableCheck,
+
+		"enable_ui": c.EnableUI,
+
+		"max_lease_ttl":     c.MaxLeaseTTL,
+		"default_lease_ttl": c.DefaultLeaseTTL,
+
+		"default_max_request_duration": c.DefaultMaxRequestDuration,
+
+		"cluster_name":          c.ClusterName,
+		"cluster_cipher_suites": c.ClusterCipherSuites,
+
+		"plugin_directory": c.PluginDirectory,
+
+		"log_level":  c.LogLevel,
+		"log_format": c.LogFormat,
+
+		"pid_file":             c.PidFile,
+		"raw_storage_endpoint": c.EnableRawEndpoint,
+
+		"api_addr":           c.APIAddr,
+		"cluster_addr":       c.ClusterAddr,
+		"disable_clustering": c.DisableClustering,
+
+		"disable_performance_standby": c.DisablePerformanceStandby,
+
+		"disable_sealwrap": c.DisableSealWrap,
+
+		"disable_indexing": c.DisableIndexing,
+	}
+
+	// Sanitize listeners
+	if len(c.Listeners) != 0 {
+		var sanitizedListeners []interface{}
+		for _, ln := range c.Listeners {
+			cleanLn := map[string]interface{}{
+				"type":   ln.Type,
+				"config": ln.Config,
+			}
+			sanitizedListeners = append(sanitizedListeners, cleanLn)
+		}
+		result["listeners"] = sanitizedListeners
+	}
+
+	// Sanitize storage stanza
+	if c.Storage != nil {
+		sanitizedStorage := map[string]interface{}{
+			"type":               c.Storage.Type,
+			"redirect_addr":      c.Storage.RedirectAddr,
+			"cluster_addr":       c.Storage.ClusterAddr,
+			"disable_clustering": c.Storage.DisableClustering,
+		}
+		result["storage"] = sanitizedStorage
+	}
+
+	// Sanitize HA storage stanza
+	if c.HAStorage != nil {
+		sanitizedHAStorage := map[string]interface{}{
+			"type":               c.HAStorage.Type,
+			"redirect_addr":      c.HAStorage.RedirectAddr,
+			"cluster_addr":       c.HAStorage.ClusterAddr,
+			"disable_clustering": c.HAStorage.DisableClustering,
+		}
+		result["ha_storage"] = sanitizedHAStorage
+	}
+
+	// Sanitize seals stanza
+	if len(c.Seals) != 0 {
+		var sanitizedSeals []interface{}
+		for _, s := range c.Seals {
+			cleanSeal := map[string]interface{}{
+				"type":     s.Type,
+				"disabled": s.Disabled,
+			}
+			sanitizedSeals = append(sanitizedSeals, cleanSeal)
+		}
+		result["seals"] = sanitizedSeals
+	}
+
+	// Sanitize telemetry stanza
+	if c.Telemetry != nil {
+		sanitizedTelemetry := map[string]interface{}{
+			"statsite_address":                       c.Telemetry.StatsiteAddr,
+			"statsd_address":                         c.Telemetry.StatsdAddr,
+			"disable_hostname":                       c.Telemetry.DisableHostname,
+			"circonus_api_token":                     "",
+			"circonus_api_app":                       c.Telemetry.CirconusAPIApp,
+			"circonus_api_url":                       c.Telemetry.CirconusAPIURL,
+			"circonus_submission_interval":           c.Telemetry.CirconusSubmissionInterval,
+			"circonus_submission_url":                c.Telemetry.CirconusCheckSubmissionURL,
+			"circonus_check_id":                      c.Telemetry.CirconusCheckID,
+			"circonus_check_force_metric_activation": c.Telemetry.CirconusCheckForceMetricActivation,
+			"circonus_check_instance_id":             c.Telemetry.CirconusCheckInstanceID,
+			"circonus_check_search_tag":              c.Telemetry.CirconusCheckSearchTag,
+			"circonus_check_tags":                    c.Telemetry.CirconusCheckTags,
+			"circonus_check_display_name":            c.Telemetry.CirconusCheckDisplayName,
+			"circonus_broker_id":                     c.Telemetry.CirconusBrokerID,
+			"circonus_broker_select_tag":             c.Telemetry.CirconusBrokerSelectTag,
+			"dogstatsd_addr":                         c.Telemetry.DogStatsDAddr,
+			"dogstatsd_tags":                         c.Telemetry.DogStatsDTags,
+			"prometheus_retention_time":              c.Telemetry.PrometheusRetentionTime,
+			"stackdriver_project_id":                 c.Telemetry.StackdriverProjectID,
+			"stackdriver_location":                   c.Telemetry.StackdriverLocation,
+			"stackdriver_namespace":                  c.Telemetry.StackdriverNamespace,
+		}
+		result["telemetry"] = sanitizedTelemetry
+	}
+
+	return result
+}

command/server/config_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-test/deep"
 	"github.com/hashicorp/hcl"
 	"github.com/hashicorp/hcl/hcl/ast"
 )
@@ -349,6 +350,90 @@ func TestLoadConfigDir(t *testing.T) {
 	}
 }
 
+func TestConfig_Sanitized(t *testing.T) {
+	config, err := LoadConfigFile("./test-fixtures/config3.hcl")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	sanitizedConfig := config.Sanitized()
+
+	expected := map[string]interface{}{
+		"api_addr":                     "top_level_api_addr",
+		"cache_size":                   0,
+		"cluster_addr":                 "top_level_cluster_addr",
+		"cluster_cipher_suites":        "",
+		"cluster_name":                 "testcluster",
+		"default_lease_ttl":            10 * time.Hour,
+		"default_max_request_duration": 0 * time.Second,
+		"disable_cache":                true,
+		"disable_clustering":           false,
+		"disable_indexing":             false,
+		"disable_mlock":                true,
+		"disable_performance_standby":  false,
+		"disable_printable_check":      false,
+		"disable_sealwrap":             true,
+		"raw_storage_endpoint":         true,
+		"enable_ui":                    true,
+		"ha_storage": map[string]interface{}{
+			"cluster_addr":       "top_level_cluster_addr",
+			"disable_clustering": true,
+			"redirect_addr":      "top_level_api_addr",
+			"type":               "consul"},
+		"listeners": []interface{}{
+			map[string]interface{}{
+				"config": map[string]interface{}{
+					"address": "127.0.0.1:443",
+				},
+				"type": "tcp",
+			},
+		},
+		"log_format":       "",
+		"log_level":        "",
+		"max_lease_ttl":    10 * time.Hour,
+		"pid_file":         "./pidfile",
+		"plugin_directory": "",
+		"seals": []interface{}{
+			map[string]interface{}{
+				"disabled": false,
+				"type":     "awskms",
+			},
+		},
+		"storage": map[string]interface{}{
+			"cluster_addr":       "top_level_cluster_addr",
+			"disable_clustering": false,
+			"redirect_addr":      "top_level_api_addr",
+			"type":               "consul",
+		},
+		"telemetry": map[string]interface{}{
+			"circonus_api_app":                       "",
+			"circonus_api_token":                     "",
+			"circonus_api_url":                       "",
+			"circonus_broker_id":                     "",
+			"circonus_broker_select_tag":             "",
+			"circonus_check_display_name":            "",
+			"circonus_check_force_metric_activation": "",
+			"circonus_check_id":                      "",
+			"circonus_check_instance_id":             "",
+			"circonus_check_search_tag":              "",
+			"circonus_submission_url":                "",
+			"circonus_check_tags":                    "",
+			"circonus_submission_interval":           "",
+			"disable_hostname":                       false,
+			"dogstatsd_addr":                         "",
+			"dogstatsd_tags":                         []string(nil),
+			"prometheus_retention_time":              24 * time.Hour,
+			"stackdriver_location":                   "",
+			"stackdriver_namespace":                  "",
+			"stackdriver_project_id":                 "",
+			"statsd_address":                         "bar",
+			"statsite_address":                       ""},
+	}
+
+	if diff := deep.Equal(sanitizedConfig, expected); len(diff) > 0 {
+		t.Fatalf("bad, diff: %#v", diff)
+	}
+}
+
 func TestParseListeners(t *testing.T) {
 	obj, _ := hcl.Parse(strings.TrimSpace(`
 listener "tcp" {

command/server/test-fixtures/config3.hcl

@@ -0,0 +1,41 @@
+disable_cache = true
+disable_mlock = true
+
+ui = true
+
+api_addr = "top_level_api_addr"
+cluster_addr = "top_level_cluster_addr"
+
+listener "tcp" {
+  address = "127.0.0.1:443"
+}
+
+backend "consul" {
+  advertise_addr = "foo"
+  token = "foo"
+}
+
+ha_backend "consul" {
+  bar = "baz"
+  advertise_addr = "snafu"
+  disable_clustering = "true"
+  token = "foo"
+}
+
+telemetry {
+  statsd_address = "bar"
+  circonus_api_token = "baz"
+}
+
+seal "awskms" {
+  region     = "us-east-1"
+  access_key = "AKIAIOSFODNN7EXAMPLE"
+  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+}
+
+max_lease_ttl = "10h"
+default_lease_ttl = "10h"
+cluster_name = "testcluster"
+pid_file = "./pidfile"
+raw_storage_endpoint = true
+disable_sealwrap = true