Re-process .well-known redirects with a recursive handler call rather than a 302 redirect (#24890)

* Re-process .well-known redirects with a recursive handler call rather than a 302 redirect * Track when the RequestURI mismatches path (in a redirect) and add it to the audit log * call cancelFunc
2025-10-30 18:17:55 +00:00 · 2024-01-19 09:59:58 -06:00
parent ab8887c875
commit 9bb4f9e996
5 changed files with 48 additions and 16 deletions
--- a/http/handler.go
+++ b/http/handler.go
@@ -347,7 +347,8 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 	// return an HTTP error here. This information is best effort.
 	hostname, _ := os.Hostname()

-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	var hf func(w http.ResponseWriter, r *http.Request)
+	hf = func(w http.ResponseWriter, r *http.Request) {
 		// This block needs to be here so that upon sending SIGHUP, custom response
 		// headers are also reloaded into the handlers.
 		var customHeaders map[string][]*logical.CustomHeader
@@ -422,16 +423,9 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 					core.Logger().Warn("error resolving potential API redirect", "error", err)
 				} else {
 					if redir != "" {
-						dest := url.URL{
-							Path:     redir,
-							RawQuery: r.URL.RawQuery,
-						}
-						w.Header().Set("Location", dest.String())
-						if r.Method == http.MethodGet || r.Proto == "HTTP/1.0" {
-							w.WriteHeader(http.StatusFound)
-						} else {
-							w.WriteHeader(http.StatusTemporaryRedirect)
-						}
+						newReq := r.Clone(ctx)
+						newReq.URL.Path = redir
+						hf(w, newReq)
 						cancelFunc()
 						return
 					}
@@ -487,7 +481,8 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 		h.ServeHTTP(nw, r)

 		cancelFunc()
-	})
+	}
+	return http.HandlerFunc(hf)
 }

 func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler {
--- a/http/logical.go
+++ b/http/logical.go
@@ -110,10 +110,8 @@ func buildLogicalRequestNoAuth(perfStandby bool, ra *vault.RouterAccess, w http.
 		// add the HTTP request to the logical request object for later consumption.
 		contentType := r.Header.Get("Content-Type")

-		if ra != nil && ra.IsBinaryPath(r.Context(), path) {
-			passHTTPReq = true
-			origBody = r.Body
-		} else if path == "sys/storage/raft/snapshot" || path == "sys/storage/raft/snapshot-force" {
+		if (ra != nil && ra.IsBinaryPath(r.Context(), path)) ||
+			path == "sys/storage/raft/snapshot" || path == "sys/storage/raft/snapshot-force" {
 			passHTTPReq = true
 			origBody = r.Body
 		} else {
@@ -194,6 +192,11 @@ func buildLogicalRequestNoAuth(perfStandby bool, ra *vault.RouterAccess, w http.
 		return nil, nil, http.StatusMethodNotAllowed, nil
 	}

+	// RFC 5785 Redirect, keep the request for auditing purposes
+	if r.URL.Path != r.RequestURI {
+		passHTTPReq = true
+	}
+
 	requestId, err := uuid.GenerateUUID()
 	if err != nil {
 		return nil, nil, http.StatusInternalServerError, fmt.Errorf("failed to generate identifier for the request: %w", err)