// handleLoginRequest is used to handle a login request, which is an // unauthenticated request to the backend. func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *logical.Auth, error) { defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now()) // Create an audit trail of the request, auth is not available on login requests if err := c.auditBroker.LogRequest(nil, req, nil); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path %s: %v", req.Path, err) return nil, nil, ErrInternalError } // Route the request resp, err := c.router.Route(req) // A login request should never return a secret! if resp != nil && resp.Secret != nil { c.logger.Printf("[ERR] core: unexpected Secret response for login path"+ "(request path: %s)", req.Path) return nil, nil, ErrInternalError } // If the response generated an authentication, then generate the token var auth *logical.Auth if resp != nil && resp.Auth != nil { auth = resp.Auth // Determine the source of the login source := c.router.MatchingMount(req.Path) source = strings.TrimPrefix(source, credentialRoutePrefix) source = strings.Replace(source, "/", "-", -1) // Prepend the source to the display name auth.DisplayName = strings.TrimSuffix(source+auth.DisplayName, "-") sysView := c.router.MatchingSystemView(req.Path) if sysView == nil { c.logger.Printf("[ERR] core: unable to look up sys view for login path"+ "(request path: %s)", req.Path) return nil, nil, ErrInternalError } // Set the default lease if non-provided, root tokens are exempt if auth.TTL == 0 && !strListContains(auth.Policies, "root") { auth.TTL = sysView.DefaultLeaseTTL() } // Limit the lease duration if auth.TTL > sysView.MaxLeaseTTL() { auth.TTL = sysView.MaxLeaseTTL() } // Generate a token te := TokenEntry{ Path: req.Path, Policies: auth.Policies, Meta: auth.Metadata, DisplayName: auth.DisplayName, CreationTime: time.Now().Unix(), TTL: auth.TTL, } if err := c.tokenStore.Create(&te); err != nil { c.logger.Printf("[ERR] core: failed to create token: %v", err) return nil, auth, ErrInternalError } // Populate the client token auth.ClientToken = te.ID // Register with the expiration manager if err := c.expiration.RegisterAuth(req.Path, auth); err != nil { c.logger.Printf("[ERR] core: failed to register token lease "+ "(request path: %s): %v", req.Path, err) return nil, auth, ErrInternalError } // Attach the display name, might be used by audit backends req.DisplayName = auth.DisplayName } return resp, auth, err }
func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) { defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now()) // Validate the token auth, te, err := c.checkToken(req.Operation, req.Path, req.ClientToken) if te != nil { defer func() { // Attempt to use the token (decrement num_uses) // If a secret was generated and num_uses is currently 1, it will be // immediately revoked; in that case, don't return the generated // credentials as they are now invalid. if retResp != nil && te != nil && te.NumUses == 1 && retResp.Secret != nil { retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so generated credentials were immediately revoked.") } if err := c.tokenStore.UseToken(te); err != nil { c.logger.Printf("[ERR] core: failed to use token: %v", err) retResp = nil retAuth = nil retErr = ErrInternalError } }() } if err != nil { // If it is an internal error we return that, otherwise we // return invalid request so that the status codes can be correct var errType error switch err { case ErrInternalError, logical.ErrPermissionDenied: errType = err default: errType = logical.ErrInvalidRequest } if err := c.auditBroker.LogRequest(auth, req, err); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path (%s): %v", req.Path, err) } return logical.ErrorResponse(err.Error()), nil, errType } // Attach the display name req.DisplayName = auth.DisplayName // Create an audit trail of the request if err := c.auditBroker.LogRequest(auth, req, nil); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path (%s): %v", req.Path, err) return nil, auth, ErrInternalError } // Route the request resp, err := c.router.Route(req) // If there is a secret, we must register it with the expiration manager. // We exclude renewal of a lease, since it does not need to be re-registered if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew/") { // Get the SystemView for the mount sysView := c.router.MatchingSystemView(req.Path) if sysView == nil { c.logger.Println("[ERR] core: unable to retrieve system view from router") return nil, auth, ErrInternalError } // Apply the default lease if none given if resp.Secret.TTL == 0 { ttl := sysView.DefaultLeaseTTL() resp.Secret.TTL = ttl } // Limit the lease duration maxTTL := sysView.MaxLeaseTTL() if resp.Secret.TTL > maxTTL { resp.Secret.TTL = maxTTL } // Generic mounts should return the TTL but not register // for a lease as this provides a massive slowdown registerLease := true matchingBackend := c.router.MatchingBackend(req.Path) if matchingBackend == nil { c.logger.Println("[ERR] core: unable to retrieve generic backend from router") return nil, auth, ErrInternalError } if ptbe, ok := matchingBackend.(*PassthroughBackend); ok { if !ptbe.GeneratesLeases() { registerLease = false resp.Secret.Renewable = false } } if registerLease { leaseID, err := c.expiration.Register(req, resp) if err != nil { c.logger.Printf( "[ERR] core: failed to register lease "+ "(request path: %s): %v", req.Path, err) return nil, auth, ErrInternalError } resp.Secret.LeaseID = leaseID } } // Only the token store is allowed to return an auth block, for any // other request this is an internal error. We exclude renewal of a token, // since it does not need to be re-registered if resp != nil && resp.Auth != nil && !strings.HasPrefix(req.Path, "auth/token/renew/") { if !strings.HasPrefix(req.Path, "auth/token/") { c.logger.Printf( "[ERR] core: unexpected Auth response for non-token backend "+ "(request path: %s)", req.Path) return nil, auth, ErrInternalError } // Set the default lease if non-provided, root tokens are exempt if resp.Auth.TTL == 0 && !strListContains(resp.Auth.Policies, "root") { resp.Auth.TTL = c.defaultLeaseTTL } // Limit the lease duration if resp.Auth.TTL > c.maxLeaseTTL { resp.Auth.TTL = c.maxLeaseTTL } // Register with the expiration manager if err := c.expiration.RegisterAuth(req.Path, resp.Auth); err != nil { c.logger.Printf("[ERR] core: failed to register token lease "+ "(request path: %s): %v", req.Path, err) return nil, auth, ErrInternalError } } // Return the response and error return resp, auth, err }
// handleLoginRequest is used to handle a login request, which is an // unauthenticated request to the backend. func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *logical.Auth, error) { defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now()) // Create an audit trail of the request, auth is not available on login requests if err := c.auditBroker.LogRequest(nil, req, nil); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path %s: %v", req.Path, err) return nil, nil, ErrInternalError } // Route the request resp, err := c.router.Route(req) // A login request should never return a secret! if resp != nil && resp.Secret != nil { c.logger.Printf("[ERR] core: unexpected Secret response for login path"+ "(request path: %s)", req.Path) return nil, nil, ErrInternalError } // If the response generated an authentication, then generate the token var auth *logical.Auth if resp != nil && resp.Auth != nil { auth = resp.Auth // Determine the source of the login source := c.router.MatchingMount(req.Path) source = strings.TrimPrefix(source, credentialRoutePrefix) source = strings.Replace(source, "/", "-", -1) // Prepend the source to the display name auth.DisplayName = strings.TrimSuffix(source+auth.DisplayName, "-") sysView := c.router.MatchingSystemView(req.Path) if sysView == nil { c.logger.Printf("[ERR] core: unable to look up sys view for login path"+ "(request path: %s)", req.Path) return nil, nil, ErrInternalError } // Set the default lease if non-provided, root tokens are exempt if auth.TTL == 0 && !strutil.StrListContains(auth.Policies, "root") { auth.TTL = sysView.DefaultLeaseTTL() } // Limit the lease duration if auth.TTL > sysView.MaxLeaseTTL() { auth.TTL = sysView.MaxLeaseTTL() } // Generate a token te := TokenEntry{ Path: req.Path, Policies: auth.Policies, Meta: auth.Metadata, DisplayName: auth.DisplayName, CreationTime: time.Now().Unix(), TTL: auth.TTL, } if strutil.StrListSubset(te.Policies, []string{"root"}) { te.Policies = []string{"root"} } else { // Use a map to filter out/prevent duplicates policyMap := map[string]bool{} for _, policy := range te.Policies { if policy == "" { // Don't allow a policy with no name, even though it is a valid // slice member continue } policyMap[policy] = true } // Add the default policy policyMap["default"] = true te.Policies = []string{} for k, _ := range policyMap { te.Policies = append(te.Policies, k) } sort.Strings(te.Policies) } if err := c.tokenStore.create(&te); err != nil { c.logger.Printf("[ERR] core: failed to create token: %v", err) return nil, auth, ErrInternalError } // Populate the client token and accessor auth.ClientToken = te.ID auth.Accessor = te.Accessor auth.Policies = te.Policies // Register with the expiration manager if err := c.expiration.RegisterAuth(te.Path, auth); err != nil { c.logger.Printf("[ERR] core: failed to register token lease "+ "(request path: %s): %v", req.Path, err) return nil, auth, ErrInternalError } // Attach the display name, might be used by audit backends req.DisplayName = auth.DisplayName } return resp, auth, err }
func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) { defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now()) // Validate the token auth, te, err := c.checkToken(req.Operation, req.Path, req.ClientToken) if te != nil { defer func() { // Attempt to use the token (decrement num_uses) if err := c.tokenStore.UseToken(te); err != nil { c.logger.Printf("[ERR] core: failed to use token: %v", err) retResp = nil retAuth = nil retErr = ErrInternalError } }() } if err != nil { // If it is an internal error we return that, otherwise we // return invalid request so that the status codes can be correct var errType error switch err { case ErrInternalError, logical.ErrPermissionDenied: errType = err default: errType = logical.ErrInvalidRequest } if err := c.auditBroker.LogRequest(auth, req, err); err != nil { c.logger.Printf("[ERR] core: failed to audit request (%#v): %v", req, err) } return logical.ErrorResponse(err.Error()), nil, errType } // Attach the display name req.DisplayName = auth.DisplayName // Create an audit trail of the request if err := c.auditBroker.LogRequest(auth, req, nil); err != nil { c.logger.Printf("[ERR] core: failed to audit request (%#v): %v", req, err) return nil, auth, ErrInternalError } // Route the request resp, err := c.router.Route(req) // If there is a secret, we must register it with the expiration manager. // We exclude renewal of a lease, since it does not need to be re-registered if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew/") { // Apply the default lease if none given if resp.Secret.TTL == 0 { resp.Secret.TTL = c.defaultLeaseTTL } // Limit the lease duration if resp.Secret.TTL > c.maxLeaseTTL { resp.Secret.TTL = c.maxLeaseTTL } // Register the lease leaseID, err := c.expiration.Register(req, resp) if err != nil { c.logger.Printf( "[ERR] core: failed to register lease "+ "(request: %#v, response: %#v): %v", req, resp, err) return nil, auth, ErrInternalError } resp.Secret.LeaseID = leaseID } // Only the token store is allowed to return an auth block, for any // other request this is an internal error. We exclude renewal of a token, // since it does not need to be re-registered if resp != nil && resp.Auth != nil && !strings.HasPrefix(req.Path, "auth/token/renew/") { if !strings.HasPrefix(req.Path, "auth/token/") { c.logger.Printf( "[ERR] core: unexpected Auth response for non-token backend "+ "(request: %#v, response: %#v)", req, resp) return nil, auth, ErrInternalError } // Set the default lease if non-provided, root tokens are exempt if resp.Auth.TTL == 0 && !strListContains(resp.Auth.Policies, "root") { resp.Auth.TTL = c.defaultLeaseTTL } // Limit the lease duration if resp.Auth.TTL > c.maxLeaseTTL { resp.Auth.TTL = c.maxLeaseTTL } // Register with the expiration manager if err := c.expiration.RegisterAuth(req.Path, resp.Auth); err != nil { c.logger.Printf("[ERR] core: failed to register token lease "+ "(request: %#v, response: %#v): %v", req, resp, err) return nil, auth, ErrInternalError } } // Return the response and error return resp, auth, err }
func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) { defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now()) // Validate the token auth, te, ctErr := c.checkToken(req) // We run this logic first because we want to decrement the use count even in the case of an error if te != nil { // Attempt to use the token (decrement NumUses) var err error te, err = c.tokenStore.UseToken(te) if err != nil { c.logger.Printf("[ERR] core: failed to use token: %v", err) retErr = multierror.Append(retErr, ErrInternalError) return nil, nil, retErr } if te == nil { // Token has been revoked by this point retErr = multierror.Append(retErr, logical.ErrPermissionDenied) return nil, nil, retErr } if te.NumUses == -1 { // We defer a revocation until after logic has run, since this is a // valid request (this is the token's final use). We pass the ID in // directly just to be safe in case something else modifies te later. defer func(id string) { err = c.tokenStore.Revoke(id) if err != nil { c.logger.Printf("[ERR] core: failed to revoke token: %v", err) retResp = nil retAuth = nil retErr = multierror.Append(retErr, ErrInternalError) } if retResp != nil && retResp.Secret != nil && // Some backends return a TTL even without a Lease ID retResp.Secret.LeaseID != "" { retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.") return } }(te.ID) } } if ctErr != nil { // If it is an internal error we return that, otherwise we // return invalid request so that the status codes can be correct var errType error switch ctErr { case ErrInternalError, logical.ErrPermissionDenied: errType = ctErr default: errType = logical.ErrInvalidRequest } if err := c.auditBroker.LogRequest(auth, req, ctErr); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path (%s): %v", req.Path, err) } if errType != nil { retErr = multierror.Append(retErr, errType) } return logical.ErrorResponse(ctErr.Error()), nil, retErr } // Attach the display name req.DisplayName = auth.DisplayName // Create an audit trail of the request if err := c.auditBroker.LogRequest(auth, req, nil); err != nil { c.logger.Printf("[ERR] core: failed to audit request with path (%s): %v", req.Path, err) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } // Route the request resp, err := c.router.Route(req) if resp != nil { // We don't allow backends to specify this, so ensure it's not set resp.WrapInfo = nil if req.WrapTTL != 0 { resp.WrapInfo = &logical.WrapInfo{ TTL: req.WrapTTL, } } } // If there is a secret, we must register it with the expiration manager. // We exclude renewal of a lease, since it does not need to be re-registered if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew/") { // Get the SystemView for the mount sysView := c.router.MatchingSystemView(req.Path) if sysView == nil { c.logger.Println("[ERR] core: unable to retrieve system view from router") retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } // Apply the default lease if none given if resp.Secret.TTL == 0 { resp.Secret.TTL = sysView.DefaultLeaseTTL() } // Limit the lease duration maxTTL := sysView.MaxLeaseTTL() if resp.Secret.TTL > maxTTL { resp.Secret.TTL = maxTTL } // Generic mounts should return the TTL but not register // for a lease as this provides a massive slowdown registerLease := true matchingBackend := c.router.MatchingBackend(req.Path) if matchingBackend == nil { c.logger.Println("[ERR] core: unable to retrieve generic backend from router") retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } if ptbe, ok := matchingBackend.(*PassthroughBackend); ok { if !ptbe.GeneratesLeases() { registerLease = false resp.Secret.Renewable = false } } if registerLease { leaseID, err := c.expiration.Register(req, resp) if err != nil { c.logger.Printf( "[ERR] core: failed to register lease "+ "(request path: %s): %v", req.Path, err) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } resp.Secret.LeaseID = leaseID } } // Only the token store is allowed to return an auth block, for any // other request this is an internal error. We exclude renewal of a token, // since it does not need to be re-registered if resp != nil && resp.Auth != nil && !strings.HasPrefix(req.Path, "auth/token/renew") { if !strings.HasPrefix(req.Path, "auth/token/") { c.logger.Printf( "[ERR] core: unexpected Auth response for non-token backend "+ "(request path: %s)", req.Path) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } // Register with the expiration manager. We use the token's actual path // here because roles allow suffixes. te, err := c.tokenStore.Lookup(resp.Auth.ClientToken) if err != nil { c.logger.Printf("[ERR] core: failed to lookup token: %v", err) retErr = multierror.Append(retErr, ErrInternalError) return nil, nil, retErr } if err := c.expiration.RegisterAuth(te.Path, resp.Auth); err != nil { c.logger.Printf("[ERR] core: failed to register token lease "+ "(request path: %s): %v", req.Path, err) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } } // Return the response and error if err != nil { retErr = multierror.Append(retErr, err) } return resp, auth, retErr }
// handleLoginRequest is used to handle a login request, which is an // unauthenticated request to the backend. func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *logical.Auth, error) { defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now()) // Create an audit trail of the request, auth is not available on login requests if err := c.auditBroker.LogRequest(nil, req, nil); err != nil { c.logger.Error("core: failed to audit request", "path", req.Path, "error", err) return nil, nil, ErrInternalError } // The token store uses authentication even when creating a new token, // so it's handled in handleRequest. It should not be reached here. if strings.HasPrefix(req.Path, "auth/token/") { c.logger.Error("core: unexpected login request for token backend", "request_path", req.Path) return nil, nil, ErrInternalError } // Route the request resp, err := c.router.Route(req) if resp != nil { // We don't allow backends to specify this, so ensure it's not set resp.WrapInfo = nil if req.WrapTTL != 0 { resp.WrapInfo = &logical.WrapInfo{ TTL: req.WrapTTL, } } } // A login request should never return a secret! if resp != nil && resp.Secret != nil { c.logger.Error("core: unexpected Secret response for login path", "request_path", req.Path) return nil, nil, ErrInternalError } // If the response generated an authentication, then generate the token var auth *logical.Auth if resp != nil && resp.Auth != nil { auth = resp.Auth if strutil.StrListSubset(auth.Policies, []string{"root"}) { return logical.ErrorResponse("authentication backends cannot create root tokens"), nil, logical.ErrInvalidRequest } // Determine the source of the login source := c.router.MatchingMount(req.Path) source = strings.TrimPrefix(source, credentialRoutePrefix) source = strings.Replace(source, "/", "-", -1) // Prepend the source to the display name auth.DisplayName = strings.TrimSuffix(source+auth.DisplayName, "-") sysView := c.router.MatchingSystemView(req.Path) if sysView == nil { c.logger.Error("core: unable to look up sys view for login path", "request_path", req.Path) return nil, nil, ErrInternalError } // Set the default lease if not provided if auth.TTL == 0 { auth.TTL = sysView.DefaultLeaseTTL() } // Limit the lease duration if auth.TTL > sysView.MaxLeaseTTL() { auth.TTL = sysView.MaxLeaseTTL() } // Generate a token te := TokenEntry{ Path: req.Path, Policies: auth.Policies, Meta: auth.Metadata, DisplayName: auth.DisplayName, CreationTime: time.Now().Unix(), TTL: auth.TTL, } te.Policies = policyutil.SanitizePolicies(te.Policies, true) // Prevent internal policies from being assigned to tokens for _, policy := range te.Policies { if strutil.StrListContains(nonAssignablePolicies, policy) { return logical.ErrorResponse(fmt.Sprintf("cannot assign policy %q", policy)), nil, logical.ErrInvalidRequest } } if err := c.tokenStore.create(&te); err != nil { c.logger.Error("core: failed to create token", "error", err) return nil, auth, ErrInternalError } // Populate the client token and accessor auth.ClientToken = te.ID auth.Accessor = te.Accessor auth.Policies = te.Policies // Register with the expiration manager if err := c.expiration.RegisterAuth(te.Path, auth); err != nil { c.logger.Error("core: failed to register token lease", "request_path", req.Path, "error", err) return nil, auth, ErrInternalError } // Attach the display name, might be used by audit backends req.DisplayName = auth.DisplayName } return resp, auth, err }