// requestAuth adds the token to the logical.Request if it exists.
func requestAuth(r *http.Request, req *logical.Request) *logical.Request {
// Attach the cookie value as the token if we have it
cookie, err := r.Cookie(AuthCookieName)
if err == nil {
req.ClientToken = cookie.Value
}
// Attach the header value if we have it
if v := r.Header.Get(AuthHeaderName); v != "" {
req.ClientToken = v
}
return req
}
// requestAuth adds the token to the logical.Request if it exists.
func requestAuth(r *http.Request, req *logical.Request) *logical.Request {
// Attach the header value if we have it
if v := r.Header.Get(AuthHeaderName); v != "" {
req.ClientToken = v
}
return req
}
// requestAuth adds the token to the logical.Request if it exists.
func requestAuth(core *vault.Core, r *http.Request, req *logical.Request) *logical.Request {
// Attach the header value if we have it
if v := r.Header.Get(AuthHeaderName); v != "" {
req.ClientToken = v
// Also attach the accessor if we have it. This doesn't fail if it
// doesn't exist because the request may be to an unauthenticated
// endpoint/login endpoint where a bad current token doesn't matter, or
// a token from a Vault version pre-accessors.
te, err := core.LookupToken(v)
if err == nil && te != nil {
req.ClientTokenAccessor = te.Accessor
}
}
return req
}
// Route is used to route a given request
func (r *Router) Route(req *logical.Request) (*logical.Response, error) {
// Find the mount point
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(req.Path)
if !ok {
// Re-check for a backend by appending a slash. This lets "foo" mean
// "foo/" at the root level which is almost always what we want.
req.Path += "/"
mount, raw, ok = r.root.LongestPrefix(req.Path)
}
r.l.RUnlock()
if !ok {
return nil, fmt.Errorf("no handler for route '%s'", req.Path)
}
defer metrics.MeasureSince([]string{"route", string(req.Operation),
strings.Replace(mount, "/", "-", -1)}, time.Now())
me := raw.(*mountEntry)
// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if me.tainted {
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default:
return nil, fmt.Errorf("no handler for route '%s'", req.Path)
}
}
// Determine if this path is an unauthenticated path before we modify it
loginPath := r.LoginPath(req.Path)
// Adjust the path to exclude the routing prefix
original := req.Path
req.Path = strings.TrimPrefix(req.Path, mount)
if req.Path == "/" {
req.Path = ""
}
// Attach the storage view for the request
req.Storage = me.view
// Hash the request token unless this is the token backend
clientToken := req.ClientToken
if !strings.HasPrefix(original, "auth/token/") {
req.ClientToken = me.SaltID(req.ClientToken)
}
// If the request is not a login path, then clear the connection
originalConn := req.Connection
if !loginPath {
req.Connection = nil
}
// Reset the request before returning
defer func() {
req.Path = original
req.Connection = originalConn
req.Storage = nil
req.ClientToken = clientToken
}()
// Invoke the backend
return me.backend.HandleRequest(req)
}
func (r *Router) routeCommon(req *logical.Request, existenceCheck bool) (*logical.Response, bool, bool, error) {
// Find the mount point
r.l.RLock()
mount, raw, ok := r.root.LongestPrefix(req.Path)
if !ok {
// Re-check for a backend by appending a slash. This lets "foo" mean
// "foo/" at the root level which is almost always what we want.
req.Path += "/"
mount, raw, ok = r.root.LongestPrefix(req.Path)
}
r.l.RUnlock()
if !ok {
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
}
defer metrics.MeasureSince([]string{"route", string(req.Operation),
strings.Replace(mount, "/", "-", -1)}, time.Now())
re := raw.(*routeEntry)
// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if re.tainted {
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default:
return logical.ErrorResponse(fmt.Sprintf("no handler for route '%s'", req.Path)), false, false, logical.ErrUnsupportedPath
}
}
// Adjust the path to exclude the routing prefix
originalPath := req.Path
req.Path = strings.TrimPrefix(req.Path, mount)
req.MountPoint = mount
if req.Path == "/" {
req.Path = ""
}
// Attach the storage view for the request
req.Storage = re.storageView
// Hash the request token unless this is the token backend
clientToken := req.ClientToken
switch {
case strings.HasPrefix(originalPath, "auth/token/"):
case strings.HasPrefix(originalPath, "sys/"):
case strings.HasPrefix(originalPath, "cubbyhole/"):
// In order for the token store to revoke later, we need to have the same
// salted ID, so we double-salt what's going to the cubbyhole backend
req.ClientToken = re.SaltID(r.tokenStoreSalt.SaltID(req.ClientToken))
default:
req.ClientToken = re.SaltID(req.ClientToken)
}
// Cache the pointer to the original connection object
originalConn := req.Connection
// Cache the identifier of the request
originalReqID := req.ID
// Cache the wrap TTL of the request
originalWrapTTL := req.WrapTTL
// Reset the request before returning
defer func() {
req.Path = originalPath
req.MountPoint = ""
req.Connection = originalConn
req.ID = originalReqID
req.Storage = nil
req.ClientToken = clientToken
// Only the rewrap endpoint is allowed to declare a wrap TTL on a
// request that did not come from the client
if req.Path != "sys/wrapping/rewrap" {
req.WrapTTL = originalWrapTTL
}
}()
// Invoke the backend
if existenceCheck {
ok, exists, err := re.backend.HandleExistenceCheck(req)
return nil, ok, exists, err
} else {
resp, err := re.backend.HandleRequest(req)
return resp, false, false, err
}
}