From 305648bb6b3f8d9907451a9215af30f811596edf Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 31 Jul 2017 16:10:15 -0400 Subject: [PATCH] Make sys/wrapping/lookup unauthenticated. We still perform validation on the token, so if the call makes it through to this endpoint it's got a valid token (either explicitly specified in data or as the request token). But this allows introspection for sanity/safety checking without revoking the token in the process. --- vault/logical_system.go | 10 ++++++++-- vault/policy_store.go | 4 +--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/vault/logical_system.go b/vault/logical_system.go index 3aebb770ba66..61b37e328096 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -74,6 +74,7 @@ func NewSystemBackend(core *Core) *SystemBackend { }, Unauthenticated: []string{ + "wrapping/lookup", "wrapping/pubkey", "replication/status", }, @@ -725,6 +726,7 @@ func NewSystemBackend(core *Core) *SystemBackend { Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: b.handleWrappingLookup, + logical.ReadOperation: b.handleWrappingLookup, }, HelpSynopsis: strings.TrimSpace(sysHelp["wraplookup"][0]), @@ -2171,10 +2173,14 @@ func (b *SystemBackend) handleWrappingUnwrap( func (b *SystemBackend) handleWrappingLookup( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { + // This ordering of lookups has been validated already in the wrapping + // validation func, we're just doing this for a safety check token := data.Get("token").(string) - if token == "" { - return logical.ErrorResponse("missing \"token\" value in input"), logical.ErrInvalidRequest + token = req.ClientToken + if token == "" { + return logical.ErrorResponse("missing \"token\" value in input"), logical.ErrInvalidRequest + } } cubbyReq := &logical.Request{ diff --git a/vault/policy_store.go b/vault/policy_store.go index 0768f76f788a..bb2b56fd18e9 100644 --- a/vault/policy_store.go +++ b/vault/policy_store.go @@ -25,9 +25,7 @@ const ( responseWrappingPolicyName = "response-wrapping" // responseWrappingPolicy is the policy that ensures cubbyhole response - // wrapping can always succeed. Note that sys/wrapping/lookup isn't - // contained here because using it would revoke the token anyways, so there - // isn't much point. + // wrapping can always succeed. responseWrappingPolicy = ` path "cubbyhole/response" { capabilities = ["create", "read"]