Merge branch 'master' into jo-ie11-fixes

hashicorp · Apr 18, 2018 · 981427c · 981427c
2 parents 3c3dbd9 + f23b14a
commit 981427c
Show file tree

Hide file tree

Showing 49 changed files with 1,932 additions and 383 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,12 +1,20 @@
 ## 0.10.1 (Unreleased)
 
+FEATURES:
+
+ * X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set
+   the client IP seen by Vault. See the [TCP listener configuration
+   page](https://www.vaultproject.io/docs/configuration/listener/tcp.html) for
+   details.
+
 IMPROVEMENTS:
 
+ * auth/token: Add to the token lookup response, the policies inherited due to
+   identity associations [GH-4366]
+ * core: Add X-Forwarded-For support [GH-4380]
  * identity: Add the ability to disable an entity. Disabling an entity does not
    revoke associated tokens, but while the entity is disabled they cannot be
    used. [GH-4353]
- * auth/token: Add to the token lookup response, the policies inherited due to
-   identity associations [GH-4366]
 
 BUG FIXES:
 

diff --git a/builtin/logical/mssql/path_creds_create.go b/builtin/logical/mssql/path_creds_create.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/dbtxn"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -90,15 +91,11 @@ func (b *backend) pathCredsCreateRead(ctx context.Context, req *logical.Request,
 			continue
 		}
 
-		stmt, err := tx.Prepare(Query(query, map[string]string{
+		m := map[string]string{
 			"name":     username,
 			"password": password,
-		}))
-		if err != nil {
-			return nil, err
 		}
-		defer stmt.Close()
-		if _, err := stmt.Exec(); err != nil {
+		if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
 			return nil, err
 		}
 	}

diff --git a/builtin/logical/mssql/secret_creds.go b/builtin/logical/mssql/secret_creds.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/helper/dbtxn"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -130,16 +131,11 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
 	// many permissions as possible right now
 	var lastStmtError error
 	for _, query := range revokeStmts {
-		stmt, err := db.Prepare(query)
-		if err != nil {
+
+		if err := dbtxn.ExecuteDBQuery(ctx, db, nil, query); err != nil {
 			lastStmtError = err
 			continue
 		}
-		defer stmt.Close()
-		_, err = stmt.Exec()
-		if err != nil {
-			lastStmtError = err
-		}
 	}
 
 	// can't drop if not all database users are dropped

diff --git a/builtin/logical/mysql/path_role_create.go b/builtin/logical/mysql/path_role_create.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/dbtxn"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -103,15 +104,11 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 			continue
 		}
 
-		stmt, err := tx.Prepare(Query(query, map[string]string{
+		m := map[string]string{
 			"name":     username,
 			"password": password,
-		}))
-		if err != nil {
-			return nil, err
 		}
-		defer stmt.Close()
-		if _, err := stmt.Exec(); err != nil {
+		if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
 			return nil, err
 		}
 	}

diff --git a/builtin/logical/postgresql/path_role_create.go b/builtin/logical/postgresql/path_role_create.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/dbtxn"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -106,16 +107,13 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 			continue
 		}
 
-		stmt, err := tx.Prepare(Query(query, map[string]string{
+		m := map[string]string{
 			"name":       username,
 			"password":   password,
 			"expiration": expiration,
-		}))
-		if err != nil {
-			return nil, err
 		}
-		defer stmt.Close()
-		if _, err := stmt.Exec(); err != nil {
+
+		if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
 			return nil, err
 		}
 	}

diff --git a/builtin/logical/postgresql/secret_creds.go b/builtin/logical/postgresql/secret_creds.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/helper/dbtxn"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -211,14 +212,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
 		// many permissions as possible right now
 		var lastStmtError error
 		for _, query := range revocationStmts {
-			stmt, err := db.Prepare(query)
-			if err != nil {
-				lastStmtError = err
-				continue
-			}
-			defer stmt.Close()
-			_, err = stmt.Exec()
-			if err != nil {
+			if err := dbtxn.ExecuteDBQuery(ctx, db, nil, query); err != nil {
 				lastStmtError = err
 			}
 		}
@@ -258,15 +252,10 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
 				continue
 			}
 
-			stmt, err := tx.Prepare(Query(query, map[string]string{
+			m := map[string]string{
 				"name": username,
-			}))
-			if err != nil {
-				return nil, err
 			}
-			defer stmt.Close()
-
-			if _, err := stmt.Exec(); err != nil {
+			if err := dbtxn.ExecuteTxQuery(ctx, tx, m, query); err != nil {
 				return nil, err
 			}
 		}

diff --git a/command/server.go b/command/server.go
@@ -32,6 +32,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
+	sockaddr "github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/gated-writer"
@@ -92,6 +93,11 @@ type ServerCommand struct {
 	flagTestVerifyOnly   bool
 }
 
+type ServerListener struct {
+	net.Listener
+	config map[string]interface{}
+}
+
 func (c *ServerCommand) Synopsis() string {
 	return "Start a Vault server"
 }
@@ -670,16 +676,19 @@ CLUSTER_SYNTHESIS_COMPLETE:
 	clusterAddrs := []*net.TCPAddr{}
 
 	// Initialize the listeners
+	lns := make([]ServerListener, 0, len(config.Listeners))
 	c.reloadFuncsLock.Lock()
-	lns := make([]net.Listener, 0, len(config.Listeners))
 	for i, lnConfig := range config.Listeners {
 		ln, props, reloadFunc, err := server.NewListener(lnConfig.Type, lnConfig.Config, c.logGate, c.UI)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error initializing listener of type %s: %s", lnConfig.Type, err))
 			return 1
 		}
 
-		lns = append(lns, ln)
+		lns = append(lns, ServerListener{
+			Listener: ln,
+			config:   lnConfig.Config,
+		})
 
 		if reloadFunc != nil {
 			relSlice := (*c.reloadFuncs)["listener|"+lnConfig.Type]
@@ -738,7 +747,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
 	// Make sure we close all listeners from this point on
 	listenerCloseFunc := func() {
 		for _, ln := range lns {
-			ln.Close()
+			ln.Listener.Close()
 		}
 	}
 
@@ -776,12 +785,10 @@ CLUSTER_SYNTHESIS_COMPLETE:
 		return 0
 	}
 
-	handler := vaulthttp.Handler(core)
-
 	// This needs to happen before we first unseal, so before we trigger dev
 	// mode if it's set
 	core.SetClusterListenerAddrs(clusterAddrs)
-	core.SetClusterHandler(handler)
+	core.SetClusterHandler(vaulthttp.Handler(core))
 
 	err = core.UnsealWithStoredKeys(context.Background())
 	if err != nil {
@@ -914,10 +921,23 @@ CLUSTER_SYNTHESIS_COMPLETE:
 
 	// Initialize the HTTP servers
 	for _, ln := range lns {
+		handler := vaulthttp.Handler(core)
+
+		// We perform validation on the config earlier, we can just cast here
+		if _, ok := ln.config["x_forwarded_for_authorized_addrs"]; ok {
+			hopSkips := ln.config["x_forwarded_for_hop_skips"].(int)
+			authzdAddrs := ln.config["x_forwarded_for_authorized_addrs"].([]*sockaddr.SockAddrMarshaler)
+			rejectNotPresent := ln.config["x_forwarded_for_reject_not_present"].(bool)
+			rejectNonAuthz := ln.config["x_forwarded_for_reject_not_authorized"].(bool)
+			if len(authzdAddrs) > 0 {
+				handler = vaulthttp.WrapForwardedForHandler(handler, authzdAddrs, rejectNotPresent, rejectNonAuthz, hopSkips)
+			}
+		}
+
 		server := &http.Server{
 			Handler: handler,
 		}
-		go server.Serve(ln)
+		go server.Serve(ln.Listener)
 	}
 
 	if newCoreError != nil {

diff --git a/command/server/config.go b/command/server/config.go
@@ -761,6 +761,10 @@ func parseListeners(result *Config, list *ast.ObjectList) error {
 			"address",
 			"cluster_address",
 			"endpoint",
+			"x_forwarded_for_authorized_addrs",
+			"x_forwarded_for_hop_skips",
+			"x_forwarded_for_reject_not_authorized",
+			"x_forwarded_for_reject_not_present",
 			"infrastructure",
 			"node_id",
 			"proxy_protocol_behavior",

diff --git a/command/server/listener_tcp.go b/command/server/listener_tcp.go
@@ -1,11 +1,15 @@
 package server
 
 import (
+	"fmt"
 	"io"
 	"net"
+	"strconv"
 	"strings"
 	"time"
 
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/reload"
 	"github.com/mitchellh/cli"
 )
@@ -39,6 +43,57 @@ func tcpListenerFactory(config map[string]interface{}, _ io.Writer, ui cli.Ui) (
 	}
 
 	props := map[string]string{"addr": addr}
+
+	ffAllowedRaw, ffAllowedOK := config["x_forwarded_for_authorized_addrs"]
+	if ffAllowedOK {
+		ffAllowed, err := parseutil.ParseAddrs(ffAllowedRaw)
+		if err != nil {
+			return nil, nil, nil, errwrap.Wrapf("error parsing \"x_forwarded_for_authorized_addrs\": {{err}}", err)
+		}
+		props["x_forwarded_for_authorized_addrs"] = fmt.Sprintf("%v", ffAllowed)
+		config["x_forwarded_for_authorized_addrs"] = ffAllowed
+	}
+
+	if ffHopsRaw, ok := config["x_forwarded_for_hop_skips"]; ok {
+		ffHops64, err := parseutil.ParseInt(ffHopsRaw)
+		if err != nil {
+			return nil, nil, nil, errwrap.Wrapf("error parsing \"x_forwarded_for_hop_skips\": {{err}}", err)
+		}
+		if ffHops64 < 0 {
+			return nil, nil, nil, fmt.Errorf("\"x_forwarded_for_hop_skips\" cannot be negative")
+		}
+		ffHops := int(ffHops64)
+		props["x_forwarded_for_hop_skips"] = strconv.Itoa(ffHops)
+		config["x_forwarded_for_hop_skips"] = ffHops
+	} else if ffAllowedOK {
+		props["x_forwarded_for_hop_skips"] = "0"
+		config["x_forwarded_for_hop_skips"] = int(0)
+	}
+
+	if ffRejectNotPresentRaw, ok := config["x_forwarded_for_reject_not_present"]; ok {
+		ffRejectNotPresent, err := parseutil.ParseBool(ffRejectNotPresentRaw)
+		if err != nil {
+			return nil, nil, nil, errwrap.Wrapf("error parsing \"x_forwarded_for_reject_not_present\": {{err}}", err)
+		}
+		props["x_forwarded_for_reject_not_present"] = strconv.FormatBool(ffRejectNotPresent)
+		config["x_forwarded_for_reject_not_present"] = ffRejectNotPresent
+	} else if ffAllowedOK {
+		props["x_forwarded_for_reject_not_present"] = "true"
+		config["x_forwarded_for_reject_not_present"] = true
+	}
+
+	if ffRejectNonAuthorizedRaw, ok := config["x_forwarded_for_reject_not_authorized"]; ok {
+		ffRejectNonAuthorized, err := parseutil.ParseBool(ffRejectNonAuthorizedRaw)
+		if err != nil {
+			return nil, nil, nil, errwrap.Wrapf("error parsing \"x_forwarded_for_reject_not_authorized\": {{err}}", err)
+		}
+		props["x_forwarded_for_reject_not_authorized"] = strconv.FormatBool(ffRejectNonAuthorized)
+		config["x_forwarded_for_reject_not_authorized"] = ffRejectNonAuthorized
+	} else if ffAllowedOK {
+		props["x_forwarded_for_reject_not_authorized"] = "true"
+		config["x_forwarded_for_reject_not_authorized"] = true
+	}
+
 	return listenerWrapTLS(ln, props, config, ui)
 }