Skip to content

Commit

Permalink
Add subkeys endpoint (#59)
Browse files Browse the repository at this point in the history
* move some test helper funcs to helper file

* add subkeys endpoint and associated ReadOperation handler

* fix max depth handling to prevent leaking data

* move getBackend test helper to common test helpers

* adding more subkeys tests

* go fmt

* return metadata in subkeys resp if secret is destroyed

* adding more unit tests

* add depth param to subkeys endpoint

* update subkeys help description

* cleaning up some comments

* add IsValid checks to prevent panics

* fix test error message

* change getBackend test helper to wait for upgrade to finish

* move test helper functions back

* gofmt

* fix test error logging so it cannot panic

* fix typo
  • Loading branch information
ccapurso authored Feb 14, 2022
1 parent c2eb38b commit a1df167
Show file tree
Hide file tree
Showing 5 changed files with 798 additions and 21 deletions.
6 changes: 5 additions & 1 deletion backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ func VersionedKVFactory(ctx context.Context, conf *logical.BackendConfig) (logic
pathData(b),
pathMetadata(b),
pathDestroy(b),
pathSubkeys(b),
},
pathsDelete(b),

Expand Down Expand Up @@ -453,7 +454,7 @@ you may or may not be able to access certain paths.
Configures settings for the KV store
^data/.*$
Write, Read, and Delete data in the Key-Value Store.
Write, Read, and Delete data in the KV store.
^delete/.*$
Marks one or more versions as deleted in the KV store.
Expand All @@ -466,4 +467,7 @@ you may or may not be able to access certain paths.
^undelete/.*$
Undeletes one or more versions from the KV store.
^subkeys/.*$
Read the subkeys within the data from the KV store without their associated values
`
56 changes: 37 additions & 19 deletions path_data_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,39 @@ func getBackend(t *testing.T) (logical.Backend, logical.Storage) {
}

// Wait for the upgrade to finish
time.Sleep(time.Second)

return b, config.StorageView
timeout := time.After(20 * time.Second)
ticker := time.Tick(time.Second)

for {
select {
case <-timeout:
t.Fatal("timeout expired waiting for upgrade")
case <-ticker:
req := &logical.Request{
Operation: logical.ReadOperation,
Path: "config",
Storage: config.StorageView,
}

resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("unable to read config: %s", err.Error())
return nil, nil
}

if resp != nil && !resp.IsError() {
return b, config.StorageView
}

if resp == nil || (resp.IsError() && strings.Contains(resp.Error().Error(), "Upgrading from non-versioned to versioned")) {
t.Log("waiting for upgrade to complete")
}
}
}
}

func keys(m map[string]interface{}) map[string]struct{} {
// getKeySet will produce a set of the keys that exist in m
func getKeySet(m map[string]interface{}) map[string]struct{} {
set := make(map[string]struct{})

for k := range m {
Expand All @@ -45,7 +72,7 @@ func keys(m map[string]interface{}) map[string]struct{} {
}

// expectedMetadataKeys produces a deterministic set of expected
// metadata fields to ensure consistent shape across all endpoints
// metadata keys to ensure consistent shape across all endpoints
func expectedMetadataKeys() map[string]struct{} {
return map[string]struct{}{
"version": {},
Expand Down Expand Up @@ -98,9 +125,7 @@ func TestVersionedKV_Data_Put(t *testing.T) {
t.Fatalf("data CreateOperation request failed, err: %s, resp %#v", err, resp)
}

actualKeys := keys(resp.Data)

if diff := deep.Equal(actualKeys, expectedMetadataKeys()); len(diff) > 0 {
if diff := deep.Equal(getKeySet(resp.Data), expectedMetadataKeys()); len(diff) > 0 {
t.Fatalf("metadata map keys mismatch, diff: %#v", diff)
}

Expand Down Expand Up @@ -133,9 +158,7 @@ func TestVersionedKV_Data_Put(t *testing.T) {
t.Fatalf("data CreateOperation request failed, err: %s, resp %#v", err, resp)
}

actualKeys = keys(resp.Data)

if diff := deep.Equal(actualKeys, expectedMetadataKeys()); len(diff) > 0 {
if diff := deep.Equal(getKeySet(resp.Data), expectedMetadataKeys()); len(diff) > 0 {
t.Fatalf("metadata map keys mismatch, diff: %#v", diff)
}

Expand Down Expand Up @@ -272,9 +295,8 @@ func TestVersionedKV_Data_Get(t *testing.T) {
}

respMetadata := resp.Data["metadata"].(map[string]interface{})
actualMetadataKeys := keys(respMetadata)

if diff := deep.Equal(actualMetadataKeys, expectedMetadataKeys()); len(diff) > 0 {
if diff := deep.Equal(getKeySet(respMetadata), expectedMetadataKeys()); len(diff) > 0 {
t.Fatalf("metadata map keys mismatch, diff: %#v\n", diff)
}

Expand Down Expand Up @@ -847,9 +869,7 @@ func TestVersionedKV_Patch_Success(t *testing.T) {
t.Fatalf("data CreateOperation request failed - err:%s resp:%#v\n", err, resp)
}

actualKeys := keys(resp.Data)

if diff := deep.Equal(actualKeys, expectedMetadataKeys()); len(diff) > 0 {
if diff := deep.Equal(getKeySet(resp.Data), expectedMetadataKeys()); len(diff) > 0 {
t.Fatalf("metadata map keys mismatch, diff: %#v", diff)
}

Expand Down Expand Up @@ -883,9 +903,7 @@ func TestVersionedKV_Patch_Success(t *testing.T) {
t.Fatalf("data PatchOperation request failed - err:%s resp:%#v\n", err, resp)
}

actualKeys = keys(resp.Data)

if diff := deep.Equal(actualKeys, expectedMetadataKeys()); len(diff) > 0 {
if diff := deep.Equal(getKeySet(resp.Data), expectedMetadataKeys()); len(diff) > 0 {
t.Fatalf("metadata map keys mismatch, diff: %#v", diff)
}

Expand Down
2 changes: 1 addition & 1 deletion path_metadata_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1324,7 +1324,7 @@ func TestVersionedKV_Metadata_Patch_NilsUnset(t *testing.T) {
Operation: logical.PatchOperation,
Path: path,
Storage: storage,
Data: map[string]interface{}{
Data: map[string]interface{}{
"max_versions": nil,
},
}
Expand Down
193 changes: 193 additions & 0 deletions path_subkeys.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
package kv

import (
"context"
"encoding/json"
"errors"
"net/http"
"reflect"
"time"

"github.com/golang/protobuf/proto"
"github.com/golang/protobuf/ptypes"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/logical"
)

func pathSubkeys(b *versionedKVBackend) *framework.Path {
return &framework.Path{
Pattern: "subkeys/" + framework.MatchAllRegex("path"),
Fields: map[string]*framework.FieldSchema{
"path": {
Type: framework.TypeString,
Description: "Location of the secret.",
},
"depth": {
Type: framework.TypeInt,
Description: "The maximum depth to traverse. No limit will be imposed if not provided or if 0.",
},
"version": {
Type: framework.TypeInt,
Description: "Specifies which version to retrieve. If not provided, the current version will be used.",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.upgradeCheck(b.pathSubkeysRead()),
},

HelpSynopsis: subkeysHelpSyn,
HelpDescription: subkeysHelpDesc,
}
}

// removeValues recursively walks the provided secret data represented as a
// map. All leaf nodes (i.e. empty maps and non-map values) will be replaced
// with nil in an effort to remove all values. The resulting structure will
// provide all subkeys with nesting fully intact. The modifications are made
// to the input in-place. maxDepth will denote how deep to traverse. A maxDepth
// of 0 is the equivalent of no limit.
func removeValues(input map[string]interface{}, maxDepth int) {
var walk func(interface{}, int)

walk = func(in interface{}, depth int) {
val := reflect.ValueOf(in)

if val.IsValid() && val.Kind() == reflect.Map {
for _, k := range val.MapKeys() {
v := val.MapIndex(k)

if v.IsValid() {
m := in.(map[string]interface{})

switch t := v.Interface().(type) {
case map[string]interface{}:
// Only continue walking if we have not reached max depth
// and the underlying map has at least 1 key. The key is
// otherwise treated as a leaf node and thus set to nil.
// Setting to nil if the max depth is reached is crucial in
// that it prevents leaking secret data as the input map is
// being modified in-place
if currentDepth := depth + 1; (maxDepth == 0 || currentDepth <= maxDepth) && len(t) > 0 {
walk(t, currentDepth)
} else {
m[k.String()] = nil
}
default:
m[k.String()] = nil
}
}
}
}
}

walk(input, 1)
}

// pathSubkeysRead handles ReadOperation requests for a specified path. Subkeys
// that exist within the entry specified by the provided path will be retrieved.
// This is done by stripping the secret data by replacing all underlying values of
// leaf keys with null.
func (b *versionedKVBackend) pathSubkeysRead() framework.OperationFunc {
return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
key := data.Get("path").(string)
depth := data.Get("depth").(int)

lock := locksutil.LockForKey(b.locks, key)
lock.RLock()
defer lock.RUnlock()

meta, err := b.getKeyMetadata(ctx, req.Storage, key)
if err != nil {
return nil, err
}
if meta == nil {
return nil, nil
}

versionNum := meta.CurrentVersion
versionParam := data.Get("version").(int)

if versionParam > 0 {
versionNum = uint64(versionParam)
}

versionMetadata := meta.Versions[versionNum]
if versionMetadata == nil {
return nil, nil
}

resp := &logical.Response{
Data: map[string]interface{}{
"subkeys": nil,
"metadata": map[string]interface{}{
"version": versionNum,
"created_time": ptypesTimestampToString(versionMetadata.CreatedTime),
"deletion_time": ptypesTimestampToString(versionMetadata.DeletionTime),
"destroyed": versionMetadata.Destroyed,
"custom_metadata": meta.CustomMetadata,
},
},
}

if versionMetadata.DeletionTime != nil {
deletionTime, err := ptypes.Timestamp(versionMetadata.DeletionTime)
if err != nil {
return nil, err
}

if deletionTime.Before(time.Now()) {
return logical.RespondWithStatusCode(resp, req, http.StatusNotFound)

}
}

if versionMetadata.Destroyed {
return logical.RespondWithStatusCode(resp, req, http.StatusNotFound)

}

versionKey, err := b.getVersionKey(ctx, key, versionNum, req.Storage)
if err != nil {
return nil, err
}

raw, err := req.Storage.Get(ctx, versionKey)
if err != nil {
return nil, err
}
if raw == nil {
return nil, errors.New("could not find version data")
}

version := &Version{}
if err := proto.Unmarshal(raw.Value, version); err != nil {
return nil, err
}

versionData := map[string]interface{}{}
if err := json.Unmarshal(version.Data, &versionData); err != nil {
return nil, err
}

removeValues(versionData, depth)
resp.Data["subkeys"] = versionData

return resp, nil
}
}

const subkeysHelpSyn = `Read the structure of a secret entry from the Key-Value store with the values removed.`
const subkeysHelpDesc = `
This endpoint provides the subkeys within a secret entry that exists at the requested path.
The secret entry at this path will be retrieved and stripped of all data by replacing
underlying values of leaf keys (i.e. non-map keys or map keys with no underlying subkeys) with null.
The "version" parameter specifies which version of the secret to read when
generating the subkeys structure. If not provided, the current version will be used.
The "depth" parameter specifies the deepest nesting level to provide in the output.
The default value 0 will not impose any limit. If non-zero, keys that reside at the
specified depth value will be artificially treated as leaves and will thus be null
even if further underlying subkeys exist.
`
Loading

0 comments on commit a1df167

Please sign in to comment.