-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys/config: config state endpoint #7424
Changes from 11 commits
7a45f56
66afa3c
e612b78
15f41ee
c4a9edb
9cfbdb3
d1d2919
048961c
0813829
31c2454
6567fac
543f765
26fdcb5
7fef0b8
66eb350
507f708
95ab4e0
da85f38
219d6ee
d5b5a9f
d62aa0f
86a808c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -905,3 +905,120 @@ func parseTelemetry(result *Config, list *ast.ObjectList) error { | |
|
||
return nil | ||
} | ||
|
||
// Sanitized returns a copy of the config with all values that are considered | ||
// sensitive stripped. It also strips all raw values that are mainly | ||
// used for parsing. | ||
// | ||
// Specifically, the fields that this method strips are: | ||
// - Storage.Config | ||
// - HAStorage.Config | ||
// - Seals.Config | ||
// - Telemetry.CirconusAPIToken | ||
func (c *Config) Sanitized() *Config { | ||
// Sanitize storage stanza | ||
var sanitizedStorage *Storage | ||
if c.Storage != nil { | ||
sanitizedStorage = &Storage{ | ||
Type: c.Storage.Type, | ||
RedirectAddr: c.Storage.RedirectAddr, | ||
ClusterAddr: c.Storage.ClusterAddr, | ||
DisableClustering: c.Storage.DisableClustering, | ||
} | ||
} | ||
|
||
// Sanitize HA storage stanza | ||
var sanitizedHAStorage *Storage | ||
if c.HAStorage != nil { | ||
sanitizedHAStorage = &Storage{ | ||
Type: c.HAStorage.Type, | ||
RedirectAddr: c.HAStorage.RedirectAddr, | ||
ClusterAddr: c.HAStorage.ClusterAddr, | ||
DisableClustering: c.HAStorage.DisableClustering, | ||
} | ||
} | ||
|
||
// Sanitize seals stanza | ||
var sanitizedSeals []*Seal | ||
if len(c.Seals) != 0 { | ||
for _, s := range c.Seals { | ||
cleanSeal := &Seal{ | ||
Type: s.Type, | ||
Disabled: s.Disabled, | ||
} | ||
sanitizedSeals = append(sanitizedSeals, cleanSeal) | ||
} | ||
} | ||
|
||
// Sanitize telemetry stanza | ||
var sanitizedTelemetry *Telemetry | ||
if c.Telemetry != nil { | ||
sanitizedTelemetry = &Telemetry{ | ||
StatsiteAddr: c.Telemetry.StatsiteAddr, | ||
StatsdAddr: c.Telemetry.StatsdAddr, | ||
DisableHostname: c.Telemetry.DisableHostname, | ||
CirconusAPIToken: "", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wouldn't it be easier to copy c.Telemetry and then overwrite CirconusAPIToken with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My concern of doing it this way is that we could accidentally output any newly added sensitive fields if we forget to overwrite it here. |
||
CirconusAPIApp: c.Telemetry.CirconusAPIApp, | ||
CirconusAPIURL: c.Telemetry.CirconusAPIURL, | ||
CirconusSubmissionInterval: c.Telemetry.CirconusSubmissionInterval, | ||
CirconusCheckSubmissionURL: c.Telemetry.CirconusCheckSubmissionURL, | ||
CirconusCheckID: c.Telemetry.CirconusCheckID, | ||
CirconusCheckForceMetricActivation: c.Telemetry.CirconusCheckForceMetricActivation, | ||
CirconusCheckInstanceID: c.Telemetry.CirconusCheckInstanceID, | ||
CirconusCheckSearchTag: c.Telemetry.CirconusCheckSearchTag, | ||
CirconusCheckTags: c.Telemetry.CirconusCheckTags, | ||
CirconusCheckDisplayName: c.Telemetry.CirconusCheckDisplayName, | ||
CirconusBrokerID: c.Telemetry.CirconusBrokerID, | ||
CirconusBrokerSelectTag: c.Telemetry.CirconusBrokerSelectTag, | ||
DogStatsDAddr: c.Telemetry.DogStatsDAddr, | ||
DogStatsDTags: c.Telemetry.DogStatsDTags, | ||
PrometheusRetentionTime: c.Telemetry.PrometheusRetentionTime, | ||
PrometheusRetentionTimeRaw: c.Telemetry.PrometheusRetentionTimeRaw, | ||
StackdriverProjectID: c.Telemetry.StackdriverProjectID, | ||
StackdriverLocation: c.Telemetry.StackdriverLocation, | ||
StackdriverNamespace: c.Telemetry.StackdriverNamespace, | ||
} | ||
} | ||
|
||
return &Config{ | ||
Listeners: c.Listeners, | ||
Storage: sanitizedStorage, | ||
HAStorage: sanitizedHAStorage, | ||
Seals: sanitizedSeals, | ||
|
||
CacheSize: c.CacheSize, | ||
DisableCache: c.DisableCache, | ||
DisableMlock: c.DisableMlock, | ||
DisablePrintableCheck: c.DisablePrintableCheck, | ||
|
||
EnableUI: c.EnableUI, | ||
|
||
Telemetry: sanitizedTelemetry, | ||
|
||
MaxLeaseTTL: c.MaxLeaseTTL, | ||
DefaultLeaseTTL: c.DefaultLeaseTTL, | ||
|
||
DefaultMaxRequestDuration: c.DefaultMaxRequestDuration, | ||
|
||
ClusterName: c.ClusterName, | ||
ClusterCipherSuites: c.ClusterCipherSuites, | ||
|
||
PluginDirectory: c.PluginDirectory, | ||
|
||
LogLevel: c.LogLevel, | ||
LogFormat: c.LogFormat, | ||
|
||
PidFile: c.PidFile, | ||
EnableRawEndpoint: c.EnableRawEndpoint, | ||
|
||
APIAddr: c.APIAddr, | ||
ClusterAddr: c.ClusterAddr, | ||
DisableClustering: c.DisableClustering, | ||
|
||
DisablePerformanceStandby: c.DisablePerformanceStandby, | ||
|
||
DisableSealWrap: c.DisableSealWrap, | ||
|
||
DisableIndexing: c.DisableIndexing, | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
disable_cache = true | ||
disable_mlock = true | ||
|
||
ui = true | ||
|
||
api_addr = "top_level_api_addr" | ||
cluster_addr = "top_level_cluster_addr" | ||
|
||
listener "tcp" { | ||
address = "127.0.0.1:443" | ||
} | ||
|
||
backend "consul" { | ||
advertise_addr = "foo" | ||
token = "foo" | ||
} | ||
|
||
ha_backend "consul" { | ||
bar = "baz" | ||
advertise_addr = "snafu" | ||
disable_clustering = "true" | ||
token = "foo" | ||
} | ||
|
||
telemetry { | ||
statsd_address = "bar" | ||
circonus_api_token = "baz" | ||
} | ||
|
||
seal "awskms" { | ||
region = "us-east-1" | ||
access_key = "AKIAIOSFODNN7EXAMPLE" | ||
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
} | ||
|
||
max_lease_ttl = "10h" | ||
default_lease_ttl = "10h" | ||
cluster_name = "testcluster" | ||
pid_file = "./pidfile" | ||
raw_storage_endpoint = true | ||
disable_sealwrap = true |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
package http | ||
|
||
import ( | ||
"encoding/json" | ||
"net/http" | ||
"reflect" | ||
"strconv" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
||
"github.com/fatih/structs" | ||
"github.com/hashicorp/vault/command/server" | ||
"github.com/hashicorp/vault/vault" | ||
) | ||
|
||
func TestSysConfigState_Sanitized(t *testing.T) { | ||
var resp *http.Response | ||
|
||
core, _, token := vault.TestCoreUnsealed(t) | ||
ln, addr := TestServer(t, core) | ||
defer ln.Close() | ||
TestServerAuth(t, addr, token) | ||
|
||
resp = testHttpGet(t, token, addr+"/v1/sys/config/state/sanitized") | ||
testResponseStatus(t, resp, 200) | ||
|
||
var actual map[string]interface{} | ||
var expected map[string]interface{} | ||
|
||
expectedConfig := new(server.Config) | ||
configResp := structs.New(expectedConfig.Sanitized()).Map() | ||
|
||
var nilObject interface{} | ||
// Do some surgery on the expected config to line up the | ||
// types and string the raw fields. | ||
for k, v := range configResp { | ||
if strings.HasSuffix(k, "Raw") { | ||
delete(configResp, k) | ||
continue | ||
} | ||
switch v.(type) { | ||
case int: | ||
configResp[k] = json.Number(strconv.Itoa(v.(int))) | ||
case time.Duration: | ||
configResp[k] = json.Number(strconv.Itoa(int(v.(time.Duration)))) | ||
} | ||
} | ||
configResp["HAStorage"] = nilObject | ||
configResp["Storage"] = nilObject | ||
configResp["Telemetry"] = nilObject | ||
|
||
expected = map[string]interface{}{ | ||
"lease_id": "", | ||
"renewable": false, | ||
"lease_duration": json.Number("0"), | ||
"wrap_info": nil, | ||
"warnings": nil, | ||
"auth": nil, | ||
"data": configResp, | ||
} | ||
|
||
testResponseBody(t, resp, &actual) | ||
expected["request_id"] = actual["request_id"] | ||
|
||
if !reflect.DeepEqual(actual, expected) { | ||
t.Fatalf("bad mismatch response body:\nexpected:\n%#v\nactual:\n%#v", expected, actual) | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like stripping out Storage.Config is extreme. I understand that it's impractical to be more fine-grained in general, but our enterprise customers are mostly going to be using Consul and Raft. Can we special-case those and only strip out the truly sensitive config, e.g. consul token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we were going to show certain values from Config, I think the safer approach would be to have an allow-list rather than a set of values to strip, as they could be easily overlooked/forgotten since it's better to forget adding a non-sensitive value than leaking a sensitive one. I started down this road initially, but stopped after realizing the numerous types of storage backends that we support and the number of fields that we'd need to include for each of those.
I think the cleaner approach would be to have a separate endpoint that displayed the complete configuration file params, including the Config map (and that could be included in the debug bundle in a future release), but didn't want to add this prematurely.