mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 18:17:55 +00:00
01cd9d37bb
* CI: Pre-emptively delete logs dir after cache restore in test-collect-reports (#23600) * Fix OktaNumberChallenge (#23565) * remove arg * changelog * exclude changelog in verifying doc/ui PRs (#23601) * Audit: eventlogger sink node reopen on SIGHUP (#23598) * ensure nodes are asked to reload audit files on SIGHUP * added changelog * Capture errors emitted from all nodes during proccessing of audit pipelines (#23582) * Update security-scan.yml * Listeners: Redaction only for TCP (#23592) * redaction should only work for TCP listeners, also fix bug that allowed custom response headers for unix listeners * fix failing test * updates from PR feedback * fix panic when unlocking unlocked user (#23611) * VAULT-18307: update rotation period for aws static roles on update (#23528) * add disable_replication_status_endpoints tcp listener config parameter * add wrapping handler for disabled replication status endpoints setting * adapt disable_replication_status_endpoints configuration parsing code to refactored parsing code * refactor configuration parsing code to facilitate testing * fix a panic when parsing configuration * update refactored configuration parsing code * fix merge corruption * add changelog file * document new TCP listener configuration parameter * make sure disable_replication_status_endpoints only has effect on TCP listeners * use active voice for explanation of disable_replication_status_endpoints * fix minor merge issue --------- Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com> Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com> Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com> Co-authored-by: Mark Collao <106274486+mcollao-hc@users.noreply.github.com> Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com> Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>
152 lines
4.4 KiB
Go
152 lines
4.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package http
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
|
"github.com/hashicorp/vault/vault"
|
|
"github.com/hashicorp/vault/vault/quotas"
|
|
)
|
|
|
|
var (
|
|
// TODO remove once entWrapGenericHandler is implemented in ENT
|
|
genericWrapping = func(core *vault.Core, in http.Handler, props *vault.HandlerProperties) http.Handler {
|
|
// Wrap the help wrapped handler with another layer with a generic
|
|
// handler
|
|
return wrapGenericHandler(core, in, props)
|
|
}
|
|
|
|
// TODO remove once entAdditionalRoutes is implemented in ENT
|
|
additionalRoutes = func(mux *http.ServeMux, core *vault.Core) {}
|
|
|
|
nonVotersAllowed = false
|
|
|
|
// TODO remove once entAdjustResponse is implemented in ENT
|
|
adjustResponse = func(core *vault.Core, w http.ResponseWriter, req *logical.Request) {}
|
|
)
|
|
|
|
func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ns, err := namespace.FromContext(r.Context())
|
|
if err != nil {
|
|
respondError(w, http.StatusInternalServerError, err)
|
|
return
|
|
}
|
|
|
|
// We don't want to do buildLogicalRequestNoAuth here because, if the
|
|
// request gets allowed by the quota, the same function will get called
|
|
// again, which is not desired.
|
|
path, status, err := buildLogicalPath(r)
|
|
if err != nil || status != 0 {
|
|
respondError(w, status, err)
|
|
return
|
|
}
|
|
mountPath := strings.TrimPrefix(core.MatchingMount(r.Context(), path), ns.Path)
|
|
|
|
// Clone body, so we do not close the request body reader
|
|
bodyBytes, err := ioutil.ReadAll(r.Body)
|
|
if err != nil {
|
|
respondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))
|
|
return
|
|
}
|
|
r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
|
|
|
|
quotaReq := "as.Request{
|
|
Type: quotas.TypeRateLimit,
|
|
Path: path,
|
|
MountPath: mountPath,
|
|
NamespacePath: ns.Path,
|
|
ClientAddress: parseRemoteIPAddress(r),
|
|
}
|
|
|
|
// This checks if any role based quota is required (LCQ or RLQ).
|
|
requiresResolveRole, err := core.ResolveRoleForQuotas(r.Context(), quotaReq)
|
|
if err != nil {
|
|
core.Logger().Error("failed to lookup quotas", "path", path, "error", err)
|
|
respondError(w, http.StatusInternalServerError, err)
|
|
return
|
|
}
|
|
|
|
// If any role-based quotas are enabled for this namespace/mount, just
|
|
// do the role resolution once here.
|
|
if requiresResolveRole {
|
|
role := core.DetermineRoleFromLoginRequestFromBytes(r.Context(), mountPath, bodyBytes)
|
|
// add an entry to the context to prevent recalculating request role unnecessarily
|
|
r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyRequestRole{}, role))
|
|
quotaReq.Role = role
|
|
}
|
|
|
|
quotaResp, err := core.ApplyRateLimitQuota(r.Context(), quotaReq)
|
|
if err != nil {
|
|
core.Logger().Error("failed to apply quota", "path", path, "error", err)
|
|
respondError(w, http.StatusInternalServerError, err)
|
|
return
|
|
}
|
|
|
|
if core.RateLimitResponseHeadersEnabled() {
|
|
for h, v := range quotaResp.Headers {
|
|
w.Header().Set(h, v)
|
|
}
|
|
}
|
|
|
|
if !quotaResp.Allowed {
|
|
quotaErr := fmt.Errorf("request path %q: %w", path, quotas.ErrRateLimitQuotaExceeded)
|
|
respondError(w, http.StatusTooManyRequests, quotaErr)
|
|
|
|
if core.Logger().IsTrace() {
|
|
core.Logger().Trace("request rejected due to rate limit quota violation", "request_path", path)
|
|
}
|
|
|
|
if core.RateLimitAuditLoggingEnabled() {
|
|
req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), w, r)
|
|
if err != nil || status != 0 {
|
|
respondError(w, status, err)
|
|
return
|
|
}
|
|
|
|
err = core.AuditLogger().AuditRequest(r.Context(), &logical.LogInput{
|
|
Request: req,
|
|
OuterErr: quotaErr,
|
|
})
|
|
if err != nil {
|
|
core.Logger().Warn("failed to audit log request rejection caused by rate limit quota violation", "error", err)
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
handler.ServeHTTP(w, r)
|
|
return
|
|
})
|
|
}
|
|
|
|
func disableReplicationStatusEndpointWrapping(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
request := r.WithContext(context.WithValue(r.Context(), "disable_replication_status_endpoints", true))
|
|
|
|
h.ServeHTTP(w, request)
|
|
})
|
|
}
|
|
|
|
func parseRemoteIPAddress(r *http.Request) string {
|
|
ip, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
|
|
return ip
|
|
}
|